What is SIM Jacking?
“What happened to my phone service?”
Imagine waking up to find your phone service turned off and your bank account broken into. That's precisely the nightmare scenario a client of mine faced when dealing with SIM jacking. This dangerous method of hacking is becoming more common and can cause serious damage to unsuspecting victims. In this post, we'll uncover what SIM jacking is, how it happens, and the steps you can take to protect yourself.
Amber (her real identity has been concealed) came to me on a snowy and dark day in February. She was panicked. An ex-boyfriend of hers was harassing her. Her phone service was disconnected from her phone, even though she had paid her bill. Money was also missing from her bank account. Not only was the attacker able to attain her password, but they were able to bypass the SMS (text message) code that her bank required to log in.
Unraveling the Mystery: How did SIM Jacking Occur?
Amber and I started looking through her accounts to figure out exactly what had happened, beginning with her bank account. We logged in, changed the password and checked to ensure that the number associated with her SMS two factor authentication hadn’t changed. It was the same phone number.
Don't let your phone be the weak link in your security. Vigilance and robust measures can keep SIM jacking / hackers at bay.The second stop on our list was her phone service provider. Their security was dismal. They had a support number we could call to make changes to her service, and they required virtually no authentication in order to make a change to Amber’s SIM card. As we spoke with a representative from the cell phone company, they indicated that someone had called, presumably Amber’s ex, who used her personal information and some simple social engineering (“Amber lost her phone and needs to get a new one activated right away! I’m just trying to help her!”). Once the previous cell phone company rep was sufficiently convinced of the fabricated emergency, the attacker was able to perform the SIM Jacking attack by transferring Amber’s phone service to a new SIM card that he had in his possession. Then he put the newly activated SIM card into a phone within his possession and rerouted the SMS code that her bank normally sent her.
Wow. I’ve gone through some terrible breakups, but this one takes the cake.
Once the attacker transferred the money out of Amber’s account, luckily her bank reached out to her (albeit via email). After calling the bank, she was able to reverse the transaction and get her money back! We then sadly confirmed that it was her ex who was both harassing her, and now stealing money from her too.
What Amber wasn’t able to get back was her peace of mind. She was very stressed after this incident, exhibiting PTSD like symptoms as we started to comb through all of her other accounts to look for signs of other potential compromise. She was unable to trust that her other accounts hadn’t been hacked.
What went wrong? How did this happen?
Amber wasn’t using a password manager to generate random, hard-to-crack passwords, which can significantly bolster your online security. At some point in the past, she had shared a password with her ex to a different account, a password that was unfortunately identical to her bank account's password.
Amber was also trusting her phone service to a company with terrible security controls in place that would otherwise helped prevent the SIM Jacking from happening. Once he swapped her SIM card for his, she lost her phone service and control over her phone number.
What steps did we take to help prevent this from happening again in the future?
We were able to regain control over her phone number, and transfer it out to a better cell phone service provider. Choosing a service provider that prioritizes security may be pricier but can offer greater protection against SIM jacking attacks. Make sure that you audit your cell phone account regularly and opt into any security features that your service provider might have, including turning on 2FA.
We enrolled Amber with a password manager and started changing all of her passwords to randomly generated ones. It’s very common for leaked passwords to be reused by hackers when trying to gain access to other accounts where a victim might have reused a password.
As a precaution, we also audited other accounts in her possession, such as email. Sometimes a malicious actor, like her ex, can access your email, and use it to reset the password to other accounts and gain access that way. Both email and phone service provider security should be treated with extreme caution and care, as they are vulnerable spots if left insecure. In conclusion, the unsettling world of SIM jacking highlights the importance of robust security measures. As Amber's story demonstrates, choosing providers with lax security and reusing passwords can have serious consequences.
Key takeaways.
SIM jacking can lead to compromised accounts and loss of control over personal information. Robust security measures, including using a password manager, choosing secure service providers, and staying vigilant about your digital safety, are paramount. It's not just about choosing your friends wisely, but also your security practices. If you have concerns about your digital security and would like to discuss it with someone, please don't hesitate to get in touch with us for advice and support.
