It’s the simplest thing, and it makes a giant difference. You’re not likely preparing for a SIM swapping attack. You might not even be able to conceptualize how one would be possible. It certainly seems that it would be a lot more difficult to hijack someone’s phone number and access their accounts, but Princeton researchers found it’s literally as easy as just asking politely.
Princeton University’s Research
Princeton University researchers ran out and got 50 prepaid phones – 10 each with US Mobile, Verizon Wireless, Tracfone, T-Mobile, and AT&T. They called each carrier and asked to swap phone numbers to a different phone. Carriers presented them with questions to prove their identity. When their answers to questions failed, they continued through the process. They used a weak threat model and refused to escalate to management. In the end, they were successful almost every single time.
They got every single SIM swap request answered by AT&T, T-Mobile, and Verizon. They won a little more than half the time with Tracfone. Surprisingly, US Mobile was the hardest to crack, with only 3 of 10 attempts proving successful.
All they did was press on. They often only needed to get one answer correct, and some of the answers were easiest to guess. Other answers were easy to spoof. Almost every carrier asks when the last made payment was and the total amount of the payment. Since all the plans in question were pre-paid, a hacker could purchase the least expensive refill card and use it to anonymously make a payment on that account. They would then have created the correct answer to the question.
While a random hacker wouldn’t be likely to do that, a hacker with a distinct personal interest in their subject might be willing to put forth the effort. For example, a business owner or a wealthy person with a Verizon plan could easily become the target of someone looking to rob them via their phone number. Spending $50 to make a few thousand in a few minutes is highly worthwhile.
How Can Phone Numbers Be Used to Hack People?
You probably have a few accounts that required you to enter your phone number to sign up. They’ll text you codes in case you get locked out of your account. Perhaps you’re smart about privacy and you utilize two-factor authentication on everything, requiring a code be entered in conjunction with your password.
It’s so easy for a random stranger to own your phone number and bypass every security measure you’ve gone out of your way to set up. The ability to quickly and easily swap phone numbers could even allow someone to impersonate you on the phone. The possibilities are endless.
A random hacker might have a very hard time randomly targeting people for SIM swap attacks, but a jealous ex, a hacker attempting to target the company you work for, someone attempting a larger scale identity theft attack, or someone who just happened to find enough information about you online to hack you and see what you’ve got might have the time and patience to spend ten minutes on a call with a mobile phone customer service representative.
Social Engineering Attacks
According to the Princeton researchers, nearly none of the questions asked by the representatives are rocket science. If you’ve lived in the same house for a couple of years, it would be easy for a hacker to guess your billing address. Since you only need to answer one or two questions to steal someone’s phone number, it’s not exactly a prohibitive method of hacking.
Attacks like these are called social engineering attacks. You don’t necessarily have to know the first thing about hacking to get what you need. Oftentimes, playing stupid is enough. Princeton researchers reported multiple instances of customer service representatives blurting out sensitive information, or trying to help them guess their answers. These people think they’re helping a forgetful good person who actually owns their account – it never even occurs to them that they’re speaking with someone malicious.
What You Can Do to Protect Yourself?
Using a VPN and setting up 2FA and creating the hardest passwords known to man cannot protect you from a SIM swap attack. Simply put, these kinds of SIM swap attacks happen because the people who work for mobile phone companies either do not understand the importance of doing their jobs correctly or are working from lax policies that were written with a blatant disregard for your privacy. You can’t really do anything to protect yourself. You know what you should do? Call your carrier and complain. Complain very loudly and ask them what they’re going to do to prevent this from happening. Require that they leave a note on your account that SIM updates cannot be performed over the phone – only in person with your photo ID and proof of account ownership. Just hope that a hacker doesn’t impersonate you and do that first, after they’ve performed a SIM swap attack.