When Jack Dorsey started sending out a string of unusual tweets in September, it was clear that his account had been hacked. How did the attacker gain control of Twitter’s CEO’s account for almost 20 minutes?
Twitter said hackers gained access to Dorsey’s profile by effectively stealing his mobile phone number which was compromised due to a “security oversight” by the carrier. While the company didn’t use the phrase “SIM swapping” in its statement, security experts attributed the attack to this increasingly popular tactic. Days later, the same thing happened to actress Chloe Moretz, who has over 3 million followers.
A SIM swap scam is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone. To carry out a SIM swap, a scammer who has obtained the phone number and other personal information of someone else calls a wireless carrier pretending to be the victim and requests your information be transferred to a new SIM card. If successful with the impersonation, which could include providing the birth date or the mother’s maiden name, the user can start logging into various services, like Twitter, and changing passwords.
Having taken control over the phone number, the attacker will receive messages with one-time passwords, negating the effectiveness of two-factor authentication. An entity that is called “the Chuckling Squad” claimed responsibility for the two attacks against Dorsey and Moretz along with other Internet personalities like James Charles and Shane Dawson.
While Twitter has suffered the most high-profile attacks, Facebook, LinkedIn, and Pinterest rely on similar security measures, leaving their sites open to SIM hijackers wanting to wreak havoc. Other times hackers have more nefarious intentions such as accessing a victim’s banking credentials. For Twitter, SMS hijacking is uniquely problematic because it has a feature that allows users to tweet by sending a text to the service.
There are options for multifactor authentication that don’t involve text messages. For example, on Twitter, users can create an account on a password authentication app such as Google Authenticator, Duo, or Microsoft Authenticator. They can also purchase a physical security key, like YubiKey, which plugs into a computer’s USB port and verifies a user’s identity. It is also recommended that users set up a VoIP number which is tied to a cloud-based service like Google Voice rather than to a specific phone.
Twitter temporarily turned off the SMS capability after Dorsey’s account was hacked but then turned it back on in some places “that depend on SMS to tweet.” A Twitter spokesperson declined to say which countries have regained access to the feature.
Phone carriers are also responsible for the hack.
SIM swapping has become popular enough to attract the attention of law enforcement officers. The REACT task force, a partnership of local, state, and federal agencies based in Silicon Valley, has been focused on SIM swapping for more than a year. In May, nine people from a hacking group were charged with using SIM swapping to steal over $2.4 million in cryptocurrency.
Some of those accused worked for AT&T and Verizon were charged with helping outside criminals obtain phone numbers in exchange for bribes. Their involvement underscores the central role that phone carriers, along with large Internet companies, play in weeding out SIM swapping.
It’s not just a few rogue workers that are of concern. SIM swapping typically involves scammers using deceptive practices to persuade a call center employee to move a number to a new SIM card. As long as humans are included in the equation, gullibility is a risk.
Carriers have addressed the matter by encouraging or requiring customers to establish a PIN with their account. If an attempted hacker doesn’t know the associated PIN, the transfer of the phone number can’t take place.
Sprint and AT&T allow users to create a passcode online, while Verizon requires it. Early last year, T-Mobile sent out a warning to customers recommending that they establish passcodes and describing PIN hijacking as “a scheme that is affecting the entire wireless industry.”
However, PIN codes aren’t foolproof; hackers have ways to find them if they’re written down or stored somewhere. AT&T declined to comment on what additional measures it’s taking, and representatives from Verizon didn’t respond to requests for comment. Sprint encourages its customers to set up a unique PIN code. If someone attempts to perform a SIM swap, they’re required to authenticate their account by providing a PIN or answering a security question.
In other parts of the world, carriers are increasingly working with banks to perform real-time SIM swap checks to prevent fraud and abuse. With this remedy, carriers would set up a system where banks can check phone records for any recent SIM swap requests tied to a particular bank account. If the last SIM swap is detected, it could prevent fraudulent bank transfers from taking place.
The key to protecting yourself is to be careful and mindful of your social media accounts and passwords. You should also beware of clicking links. If you want more information on how to protect yourself, click here.