How to Prevent and Respond to SIM Swap Fraud

When ZDNet’s Matthew Miller was subjected to a SIM swap attack, he described it as a “gruesome story” that caused him to lose “decades of data.” And he’s not exaggerating; More than a week later, he is still grappling with the fallout, and some of the big tech players, including Twitter and Google, make no guarantees that he will ever be able to regain access to what his attackers have messed up.

Replacing a SIM is a big deal, especially if you are also active in the cryptocurrency community – a great way for an attacker to make some money and ruin your life. Fortunately, a few small security tweaks to your account can help reduce the likelihood that this annoying issue will ever ruin your day (or month).

What is SIM swapping?

SIM swapping suggests that a hacker is tricking your carrier into believing that you are activating your SIM on another device. In other words, they steal your phone number and associate it with their SIM card.

If successful, this attack will deactivate your device, and now its device will be the destination for all text messages, phone calls, data and accounts associated with your phone number and SIM card. With this information, an attacker can easily gain access to your app accounts, personal data, and financial information. They may even permanently block you from accessing your services.

Think about how many apps and accounts use your phone number to verify your identity – and not even when you log in with your username and password that an attacker won’t know, but the recovery mechanisms themselves that you would use to reset. this is the key information. All the account security in the world won’t do much good if an attacker can pretend it’s you just by taking your phone number.

What a SIM swap scam looks like

A person doesn’t need physical access to your phone to replace a SIM card – they can do it all remotely, regardless of the make and model of your device or your service provider. They just need to have enough information to convince the support agent that they are you. You may not see a SIM swap scam until it’s too late.

The easiest way to say that you have become the target of a SIM replacement is when you see strange behavior on your phone, such as the inability to send or receive text messages and calls, even though the service is not disabled; receiving notifications from your provider that your phone number or SIM card has been activated elsewhere; or inability to log into any of your important accounts. Consider this recent example from Matthew Miller from ZDNet:

“At 11:30 pm on Monday June 10th, my oldest daughter shook my shoulder to wake me up from my deep sleep. She said it looks like my Twitter account has been hacked. It turns out that things were much worse.

Jumping out of bed, I grabbed my Apple iPhone XS and saw a text message: “T-Mobile Warning: SIM card for xxx-xxx-xxxx has been replaced. If this change is not authorized, call 611. ” Well, considering how T-Mobile took my cell phone, I couldn’t call 611 for help, so it’s a useless message. “

Prevent SIM Swap Attack

It is much easier to set up protection against a SIM swap attack right now than to deal with the consequences of the first attack: one nuisance is insignificant, the other will take you a week (or more).

Beware of phishing attacks

The first step in a SIM swapping attack is usually (but not always) phishing. Sketchy emails with malicious links, fake login screens, fake address bars – there are many forms that phishing scams can take, but they are easy to spot if you know what to look out for . Don’t click links, download programs, or enter unfamiliar websites. If an attacker obtains enough key data about you as a result of these attacks, they will have everything they need to try to replace the SIM card.

Reduce Excessive Personal Data Online

Whether in addition to phishing or instead of phishing, the other early part of replacing a SIM involves social engineering – basically collecting as much data as possible about you so that a hacker can reliably transmit to you by phone or email.

To prevent this from happening, keep your phone number, date of birth, mailing address and all other incriminating information in as many of your accounts as possible, and do not share this information publicly if you can avoid it. Some of this data is required for certain services, but you do not need any of it to be searchable on social networks. You should cancel and delete any accounts you no longer use as an extra precaution.

Protect your accounts

Many digital accounts have settings that can help you get your accounts back if they are ever stolen, but they must be set up correctly before the account is stolen in order to be of any help. They can include:

  • Create a PIN required to log in and change your password. This is especially important to configure your network operator , since it is an excellent protection against theft of SIM-card.
  • Suitable two-factor security method based on the use of a physical device, such as Google Authenticator or Authy, rather than checking inputs to the system based on SMS. You can also purchase a Security Key to protect their accounts, if you want to really understand.
  • Precise answers to the restoration of security , which are not associated with your personal information .
  • If possible, unplug the phone number of your smartphone from your accounts. (You can always use a toll-free number Google Voice, if you need it for your sensitive accounts.)
  • Using a long, random and unique passwords for each account.
  • Use encrypted passwords manager .
  • Do not use your favorite services (Google, Facebook, etc. D..) To access the other services; all you need attacker – a hack of one of them to gain access to more of your digital data.

You should also pay attention to important information relating to, for example, an account that can be used to identify you as the rightful owner of the account:

  • Month and year the account is created.
  • Previous screen names in your account
  • Physical addresses associated with your account
  • Credit card numbers are used in the accounts or extracts from the bank, which can confirm that you have made a purchase.
  • Content created accounts, such as names of the characters, if the account is designed for online video games.

Similarly, maintaining a list of all your critical accounts will simplify the response to the replacement SIM-card or similar identity theft because you can safely scour every account and change passwords, email addresses, etc. D. securely store all of this information -. Maybe even as a physical print a text file – rather than keep it in the service associated with the digital object (which can be cracked).

Decentralizes its mark on the Internet

Consider using encrypted applications and services with open source, and not only apps from Google, Apple, Microsoft, to spread important data, and the most sensitive data is stored in the maximum security areas. This applies to e-mail, instant messaging applications, banking applications, etc. D. Google Drive and the iCloud -. That’s fine, but if it is combined on one disc – including personal financial information, etc. D. -. You screwed up.

In addition, you should fully keep certain records beyond the clouds. Do not dispose of tax returns to your Google Drive, so that if someone has gained access, they suddenly came to a huge number of sensitive information about you (and a lot of information that they could use to pretend they’re). And please, no matter what, do not store your list of common passwords, backup input keys in the system, PDF-file to restore your account manager passwords in a simple cloud storage account.

How to respond to the attack swap SIM-card

If you suspect that you have been the victim of SIM-card or any form of identity theft quickly, follow these steps:

  • To submit reports on the identity theft to the local police department and the Federal Trade Commission.
  • Tell banks / financial institutions to report on the potential of the individual and request to hold your bills and bank cards, and contact all three credit bureaus (Experian , Equifax and TransUnion ), to request the blocking of your loan and to identify potential credit fraud. If you suspect that your tax identification or social security number is compromised, contact the IRS. You might even want to change your bank account number or credit card, just in case.
  • Report the identity theft to their service provider. However, keep in mind that if you can not prove enough that it happened, and that you are the rightful owner of the account, they may not be able to do a lot (since the hacker as your phone number, and all).
  • If you have a stand-alone / analog list of your accounts and their information, change your email address and password for each account (make sure that the new email address is not tied to your phone number; best new) and update the security of any other account recording. measures. The most important place to start – it’s your address (es), e-mail and financial institutions, including PayPal, Venmo and so D., and any accounts linked to your phone number or a Google / Apple accounts..
  • Important: if you have the opportunity, do not submit a verification code or a link to reset your phone number. They will be sent to the attacker, not you.
  • If you can not log in to your account and reset the password as soon as possible, contact the customer support that account and explain the situation. You will be asked to verify their identity, so the presence of an increasing amount of information about your account to help you regain control.

More…

Leave a Reply