When your phone suddenly says “Emergency Calls Only”: SIM Swapping

You’re relaxed at the perfect campsite, spacious, quiet, great cell signal, and an awesome view. You intend to have a few productive work days, using your internet connection to stay in touch with the real world. But at some point, you notice that you don’t have an internet connection, or that your phone says, “Emergency Calls Only.” It may seem like the kind of thing that you’ll take care of on your next trip into town, but you may want to address it a lot sooner. You may have just become the victim of a SIM swapping attack.

What is a SIM-swapping attack?

Let’s start with the SIM card. That’s the little tiny chip that you put in your phone after fiddling with a paperclip and tray that slid into your phone, or for some phones, an e-SIM which performs the same functionality in software. It contains what amounts to a unique electronic identifier that, when inserted in the phone, links your phone number and account to the device that it’s in.

Ordinarily, you can move your SIM from one phone to another, and your account follows–which ever phone Jenny puts her SIM in is the one that will ring when 867-5309 is dialed. But if you’ve ever lost your phone or changed carriers, you know there’s also a mechanism to get a new SIM, and move your phone number to it.

A SIM-swapping attack uses various forms of social engineering, phishing, or good old-fashioned bribes to get someone at the phone company to associate your phone number with a different SIM. At first, that doesn’t sound like a terribly big deal, right? You call the phone company, tell them it wasn’t you, and undo the swap. But you’re sitting miles from a physical store, and you’re going to have to overcome the fact that someone else just convinced them that they were you, and may have had all of the personal details you might need to prove otherwise. You can read one account from a tech writer who fell victim to such an attack, including a $25,000 Bitcoin purchase using his bank account. Or read about Twitter CEO Jack Dorsey dealing with the same thing.

This form of attack isn’t limited to smartphones either. In fact, people without smartphones are more likely to use SMS (text message) 2FA (two-factor authentication). If you don’t have a smartphone, consider a separate security key for sensitive accounts.

Just about every account that offers online access is vulnerable

Even if you don’t have online access set up for that account. Usually the first thing that an attacker will go for is your e-mail account. Why? Once in, they’ll have easy access to information about the accounts you do have, and to e-mails those services would send to reset a password or letting you know that a password has been reset.

From there, credit cards, bank accounts, retirement and investment accounts, even cryptocurrency accounts are ready to be drained. If you don’t have online access set up on those accounts, the attacker might set it up, only to withdraw your hard-earned money in them.

What’s unique about a SIM swapping attack, over ordinary phishing attempts that would try to get you to give up your password, is that it allows someone access to the SMS (text message) authentication codes that a bank or other service would send to confirm they’ve got you. They get the account alerts about a withdrawal, they get the phone call from the bank if something looks off. If the attacker calls the bank, they get the friendly “we see you have an account with us” message, while you call from another phone greeted as if they have no idea who you are.

While you can certainly straighten things out, the breadth of access granted an attacker with the ability to use your phone number means that it could take quite a lot of effort. It’s worth a few ounces of prevention to try to avoid the problem.

How can I protect myself from an attack?

  • Use two-factor authentication by means other than SMS. Authy or Google Authenticator are two interchangeable and widely supported platforms for generating a one-time 6-digit code that changes automatically with time (called TOTP, or time-based one-time password). You’ll be able to save one-time backup codes so that you can access your accounts should the device be unavailable–write these down and store them in a safe place.
  • Use unique, automatically-generated passwords and a password manager. Firefox‘s built-in password manager is very good, especially combined with their Lockwise app for logins outside of a web browser. When you right-click on a password field, you can retrieve your saved password, or fill a new, securely-generated password that’s saved automatically.
  • Contact your phone provider today. Ask them to add an “in-person” or “store only” requirement for changes to the account. You should already have a PIN for making account changes (I hope so!!), but if not, add one.
  • Remove your phone number from accounts where it’s not required. Some suggest setting up a Google Voice number for accounts where a number is required–it’s not bad advice, but does carry some extra complexity.
  • Make sure you’re not using popular sites like Google or Facebook to log in to other services.
  • Set up online account services for accounts you have but have never used online, with a strong password and two-factor authentication.

Take these steps NOW to minimize the damage from a SIM-swapping attack

  • Set up a physical notebook with details about your financial accounts that would help you to verify your identity to the institution. Note things like the month and year you opened the account, previous mailing addresses, perhaps where you opened the account or the name of the person that helped you open it. Save anything that might help prove who you are that wouldn’t be readily accessible when someone logs in as you. Make sure you include contact information for that institution.
  • Occasionally print the list of accounts from your password manager, and keep in a safe place. You don’t need the passwords printed though. We’re just after the list of places you’ve set up accounts, so you don’t forget to address anything.
  • Know how to get to a phone at any hour WITHOUT using your phone to search or navigate. That could be a police station, 24-hour store like Wal-Mart, or a truck stop. It’s a good reason to keep a paper map or standalone GPS. Alternatively, make sure you download offline maps for the area you’re in if using Google Maps from your phone.

If an attack happens, act quickly.

If you see an indication that your phone isn’t working normally, don’t ignore it. Not sure? Make a phone call or send a text message to someone you know. If it goes through normally, you’re probably fine. If not, assume someone has gotten access to your phone number. It’s time to start fighting fires.

  1. If you’re not alone or have another device, immediately call the carrier (generally by dialing 611). Unfortunately, if your spouse’s phone is on the same account, the attacker likely swapped both at the same time. Get to a place where you can call the phone provider ASAP one way or another. It still takes some time to reset account credentials and to initiate money transfers and credit card charges.
  2. File an identity theft report with the local police. The police probably won’t do much beyond taking the report, and hopefully loaning you a phone. But the record will help to establish when you became aware of the problem, and may be useful down the line.
  3. If you can get to a place where you can access the internet (perhaps a McDonald’s or Starbucks parking lot within range of their free WiFi, even if closed), see if you can log in to your e-mail account. You might get lucky. If you can, quickly look for e-mails indicating account changes, either in the inbox or in the trash folder. If you see anything abnormal, especially messages indicating movement of money, start making phone calls. Change your account password immediately, removing the phone number and adding Authy or Authenticator credentials.
  4. Set up a new e-mail address, but do not include your phone number when setting it up. Set up only a password and app-based two-factor authentication. Begin the process of logging in to every account, starting with financial accounts, updating them to a new password and new e-mail address.
  5. File an identity theft report with the FTC. Initiate credit freezes with each of the 3 credit bureaus. Since your Social Security number is associated with financial accounts, and generally present on tax documents, contact the IRS. (Especially this time of year, with filing season opening)
  6. For any account where you can’t log in and change the e-mail address and log in credentials, call them ASAP to explain what’s going on. Expect each of these calls to take time, both with a lot of effort to verify who you are, and in verifying what, if anything, has been done by the hacker.
  7. While you’re spending time on the phone, look at your credit card and bank accounts for any signs of temporary authorizations or pending transfers. Obviously, if you see something that isn’t you, report it.

What could be changed to prevent these attacks?

It’s not likely that we’ll ever have foolproof authentication at the phone provider. All too often, people do have phones lost or stolen. People do forget PINs for their phone accounts. And customer service agents do fall for scams and phishing attacks.

That said, one thing that could be done isn’t happening. In other places, financial institutions share information with phone providers. When they get a request for certain account changes, they check for a recent SIM change. If you’ve swapped it, legitimately or not, your change has to wait a few days. It doesn’t prevent the swap from happening, but goes a long way to minimize financial losses.

Keep close watch over your information. In coming weeks I intend to post a few videos walking you through some of the setup to help you protect your information, and hopefully prevent a SIM swapping attack.

Leave a Reply