SIM Card Swapping
08-02-18: The Newest Security Threat – SIM CARD Swapping - The Scam:
We have become aware of a relatively new threat to your security from scammers who have figured out how to hijack your cell/smart phone number from your phone and move it onto one of their phones by electronically “swapping out” your sim card. A sim card is an electronic chip inside a phone that: has an ID No. unique to the owner, stores personal data, allows for connection to cell towers, prevents phone operation if removed or disabled.
This scam then effectively allows bad actors to control your cell phone number, access the accounts that are connected to your cell phone and turn your phone into a brick. Their objective is to steal your usernames and passwords for social media apps like Instagram and Twitter, etc. This is done in order to sell them to someone else for Bitcoin. These bad actors will gain access to your email contact lists, banking websites, and your Facebook, Amazon, eBay, PayPal, Netflix and Hulu, etc. accounts. Since they effectively have your cell phone, most security measures including two factor authentication become virtually useless, if you use your cell number as the recovery number.
Of course, identity theft is also a significant byproduct of this scam. Here is a quote from an in depth article about this scam, “With someone's phone number,” a hacker who does SIM swapping “…can get into every account the (person) own(s) within minutes and they can't do anything about it.” Lastly, much of the problem is rooted in the ability of the scammers to sweet talk, coerce, or pay off cell phone carrier tech support staff so as to get their cooperation in completing the sim card swap. Links to the articles that define the problem and offer in depth solutions appear at the end of this notice. And, a summary of suggested remedies appears below in the section labeled “Counter Measures and related issues”.
This threat is expected to gain momentum over the next year or so and as a consequence, more and more people will be impacted. The hacker’s job has been made much easier in part as the result of the FAILURE of Equifax to properly protect the sensitive data of about 143 million Americans. Since there is a very good chance that your name, address, date of birth, and Social Security Number are now commodities for sale on the dark web, you are significantly less safe overall, and even more so with respect to this scam in particular. Just a quick side note: The US Congress has imposed NO significant penalties against any of the major credit reporting bureaus for their slipshod approach to security, NOR has the Congress insisted on any major security changes in order to better protect sensitive consumer information. Thanks Congress, another job well done!
Counter Measures and related issues:
Today many people are dependent exclusively on their smart phones and have eschewed having an old fashioned land line or even using VoIP (Voice over Internet Protocol). VoIP requires that voice communication work via an internet connection using services from providers like Vonage, or Ooma, etc.; as well as internet and TV service providers such as Comcast, CenturyLink, and Spectrum who also offer digital phone service. Users who have a land line or use VoIP are less at risk than users who depend exclusively on a Cell/Smart phone.
- Since, as indicated above, the user IDs and passwords for the major social media sites are prime targets, perhaps it would be wise to reconsider how really important having Instagram, Twitter, Facebook, and the rest of the social media accounts are to you, in light of the potential for sim card hijack, and identify theft, etc.
- The major cell phone carriers (service providers) are aware of the sim card swap scam and are addressing it in a variety of ways. We recommend that you contact your carrier to get a specific indication of what is being done to protect you. Ask too about what they are doing regarding insider collusion.
- Make certain you add a PIN to your smart phone account to protect your phone. You will need to contact your carrier in order to do this.
- Don’t link your cell number to any of your online accounts and remove the ones that may be currently linked.
- Use a VoIP number or Google voice number instead of a cell phone number to maximize your safety.
- Don’t use a cell number as one of your account recovery options; that type of usage increases your vulnerability.