When Jack Dorsey started sending out a string of bizarre tweets last week, it was clear that his account had been compromised. Less obvious to his more than 4 million followers was how the attackers took control of the Twitter CEO’s account for almost 20 minutes.
Twitter said hackers had gained access to Dorsey’s profile by effectively stealing his mobile phone number, which was compromised due to a “security oversight” by the carrier. While the company didn’t use the phrase “SIM swapping” in its statement, security experts attributed the attack to the increasingly popular tactic. Days later, the same thing happened to actress Chloe Moretz, who has over 3 million followers.
To carry out a SIM swap, a scammer who has obtained the phone number and other personal information of someone else calls a wireless carrier pretending to be the victim and requests that number be transferred to a new SIM card. If successful with the impersonation, which could include providing the birth date or the mother’s maiden name, the user can start logging into various services, like Twitter, and changing passwords.
Having taken control over the phone number, the attacker will receive messages with one-time passwords, negating the effectiveness of two-factor authentication. An entity that calls itself the Chuckling Squad claimed responsibility for the two attacks against Dorsey and Moretz along with other internet personalities like James Charles and Shane Dawson.
While Twitter has suffered the most high-profile attacks, Facebook, Snap, Microsoft’s LinkedIn and Pinterest rely on similar security measures, leaving their sites open to SIM hijackers who sometimes just want to wreak havoc but other times have more nefarious intentions, such as accessing a victim’s banking credentials.
For Twitter, SMS hijacking is uniquely problematic because it has a feature that allows users to tweet by sending a text to the service.
“Really anything is better than SMS,” said Will Strafach, CEO of mobile security company Guardian Firewall. “The companies want usability. They want user engagement. Companies’ motives aren’t in a place where they favor security over usability.”
Some of the onus is on the user, who generally has options for multifactor authentication that don’t involve text messages. For example, on Twitter, users can create an account on a password authentication app, such as Google Authenticator, Duo or Microsoft Authenticator. They can also purchase a physical security key, like a YubiKey, which plugs into a computer’s USB port and verifies a user’s identity.
Todd Sherman, a product manager at YouTube, recommends that users set up a VoIP number, which is tied to a cloud-based service like Google Voice rather than to a specific phone.
Twitter temporarily turned off the SMS capability after Dorsey’s account was hacked, but then turned it back on in some places “that depend on SMS to tweet.” A Twitter spokesperson declined to say which countries have regained access to the feature.
Phone carriers are also responsible
SIM swapping has become prolific enough to attract the attention of law enforcement officers. The REACT task force, a partnership of local, state and federal agencies based in Silicon Valley, has been focused on SIM swapping for more than a year. In May, nine people from a hacking group were charged with using SIM swapping to steal over $2.4 million in cryptocurrency.
Some of those accused worked for AT&T and Verizon and were charged with helping outside criminals obtain phone numbers in exchange for bribes. Their involvement underscores the central role that phone carriers, along with big internet companies, play in weeding out SIM swapping.
It’s not just a few rogue workers that are of concern. SIM swapping typically involves scammers using deceptive practices to persuade a call center employee to move a number to a new SIM card. As long as humans are involved in the equation, gullibility is a risk, said Strafach.
“If you can social engineer, then you have access,” he said. “The human control needs to be removed to fully solve this problem.”
Carriers have addressed the matter by encouraging or requiring customers to establish a PIN with their account. If an attempted hacker doesn’t know the associated PIN, the transfer of the phone number can’t take place.
Sprint and AT&T allow users to create a passcode online, while Verizon requires it. Early last year, T-Mobile sent out a warning to customers, recommending that they establish passcodes and describing PIN hijacking as “a scheme that is affecting the entire wireless industry.”
However, PIN codes aren’t foolproof because hackers have ways to find them if they’re written down or stored somewhere. AT&T declined to comment on what additional measures it’s taking, and representatives from Verizon didn’t respond to requests for comment.
Lisa Belot, a spokesperson from Sprint, said the company encourages its customers to set up a unique PIN code. If someone attempts to perform a SIM swap, they’re required to authenticate their account by providing a PIN or answering a security question, she added. Belot said Sprint takes security measures to protect customers’ accounts, but didn’t elaborate on what it does specifically.
“These are criminal attacks against not only wireless customers, but carriers as well,” the spokesperson said. “We are constantly working hard to stop these bad actors.”
PIN numbers aren’t a totally foolproof way to prevent your account from being SIM swapped, since many users select codes that are easy to guess, Strafach said.
As SIM hijacks continue to rise, security advocates have called for carriers to do more to thwart the issue. But aside from PIN codes, phone carriers have provided few public details about what other steps, if any, they’re taking to prevent SIM swap attacks.
In other parts of the globe, carriers are increasingly working with banks to perform real-time SIM swap checks to prevent fraud and abuse. With this remedy, carriers would set up a system where banks can check phone records for any recent SIM swap requests tied to a certain bank account. If a recent SIM swap is detected, it could prevent fraudulent bank transfers from taking place.
Strafach said carriers should be more transparent about the efforts their taking to curb SIM swapping. He also dismissed the explanation that telecom companies are keeping their strategies private in an attempt to keep hackers from finding ways to adapt.
“It shouldn’t be a problem to disclose your form of protection. That just means they’re doing something where it can be blown, the attacker can get around it,” he said. “Security through obscurity isn’t going to help.”