![](\"https:\/\/media.wired.com\/photos\/5b7736f581d2b91bf5081ca1\/master\/pass\/How%20to%20protect%20against%20SIM%20swap%20attacks%20(0-00-00-00).jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Sun, 19 Aug 2018 11:00:00 +0000<\/strong><\/p>\n A spate of hacked<\/a> Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring<\/a>. They all have roots in an old problem that has lately found new urgency: SIM card swaps<\/a>, a scam in which hackers steal your mobile identity\u2014and use it to upend your life<\/a>.<\/p>\n At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They\u2019re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication<\/a> checks that protect your most sensitive accounts. Or, if you don\u2019t have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.<\/p>\n 'In most of the cases that we\u2019ve seen, a sufficiently determined attacker can just take over someone\u2019s online footprint.'<\/p>\n Allison Nixon, Flashpoint<\/p>\n SIM attacks appear to be behind a recent string of Instagram takeovers, as well as the very unfortunate, not great time a hacker posted<\/a> Justin Bieber nudes from Selena Gomez\u2019s account last year. But they can impact other corners of your life as well. A cryptocurrency investor this week claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens; he\u2019s suing<\/a> his carrier, AT&T, for 10 times that amount. And Motherboard<\/em> recently documented a number of incidents<\/a> in which SIM hijackers drained thousands of dollars out of people\u2019s checking accounts.<\/p>\n A sobering caveat: If a skilled SIM hijacker targets you, there\u2019s realistically not much you can do to stop them, says Allison Nixon, threat research at security firm Flashpoint. \u201cIn most of the cases that we\u2019ve seen, a sufficiently determined attacker can take over someone\u2019s online footprint,\u201d she says.<\/p>\n That\u2019s because ultimately, the machinations behind SIM swaps are largely out of your control. Perfect security hygiene won\u2019t always keep someone from fooling your carrier, and in fact, they may not even have to; Flashpoint has found some indications<\/a> that SIM hijackers recruit retail workers at mobile shops to gain access to protected accounts. A comprehensive SIM swap fix would require fundamentally rethinking the role of phone numbers in 2018. \u201cPhone numbers were never intended to be a way to confirm someone\u2019s identity,\u201d says Nixon. \u201cPhone companies were never in the business to sell identity documents. It was imposed on them.\u201d<\/p>\n The good news is, you can take steps to limit the chances that a SIM swap attack will happen to you\u2014and limit the fallout if it does.<\/p>\n Every major US carrier offers you the option of putting a PIN or a passcode on your account. Take them up on it. Having one adds another layer of protection, another piece of information an attacker needs before they can compromise your identity. That won\u2019t help against an insider threat, but it\u2019s much better than nothing.<\/p>\n On AT&T, you can set up a \u201cwireless passcode\u201d that\u2019s four to eight digits long by going to your profile, then Sign-in info<\/strong>, then Get a new passcode<\/strong>. You should also add what the carrier calls \u201cextra security,\u201d which just means it\u2019ll require the passcode to manage your account online or in a retail store. You can find that by going again to Sign-in info<\/strong>, then Wireless passcode<\/strong>, and checking Manage extra security<\/strong>.<\/p>\n Verizon actually requires a PIN, but to set yours up or change it, head to this site<\/a>, then sign into your account. Enter the PIN of your choice twice, click Submit<\/strong>, and you\u2019re done.<\/p>\n For T-Mobile, you have to call instead; dial 611 from your mobile phone and ask to add \u201cPort Validation\u201d to your account, which lets you choose a six to 15 digit PIN. On Sprint, sign into your account, click on My Sprint<\/strong>, then go to Profile and security<\/strong>. Scroll to Security information<\/strong>, and update your PIN there.<\/p>\n Yes, remembering another PIN is a pain, especially when you\u2019ll likely only need it every couple of years. But it\u2019s worth the effort. \u201cMost people have that turned off because if they can\u2019t remember their PIN they can\u2019t go into the local Verizon store and get a new phone,\u201d says Chet Wisniewski, principle research scientist at security firm Sophos. \u201cIf you can turn a PIN on with your mobile carrier to prevent your number from being manipulated, you should. Go ahead and write it down. No one\u2019s going to break into your house and steal your notepad from underneath your underwear in your secret drawer in your bedroom.\u201d<\/p>\n We\u2019ve talked about this recently<\/a>, but it bears repeating. Getting your two-factor authentication codes over SMS is better than nothing, but it won\u2019t help at all<\/a> if a SIM swap hits. What will<\/em> work? Using an authentication app instead.<\/p>\n Apps like Google Authenticator and Authy give you that extra layer of security like SMS-based two-factor does, but they also tie it to your physical device rather than the number the phone company assigned to you. They show you a six-digit code that updates every 30 seconds or so, and stays in constant sync with whatever service you connect them to.<\/p>\n 'The challenge we have is these app developers need a universal identifier, and they\u2019ve just decided that the phone numbers as good as anything.'<\/p>\n Chet Wisniewski, Sophos<\/p>\n Want to step your two-factor up even further? Opt instead for a physical authentication method, like a Yubikey<\/a>. These little fobs fit on your keychain, and plug into your computer\u2019s USB port to help verify your identity. (For what it's worth, you can get a free YubiKey 4 with a new WIRED subscription<\/a>.) \u201cIf you\u2019ve enabled a phsyical token, plus your password, and you turn off SMS, then someone literally is going to have to steal your keys. That raises the stakes to a whole other level,\u201d says Wisniewski.<\/p>\n Not all services allow for tougher two-factor. (Instagram\u2019s the most notable example, although the social network says it\u2019s working on expanding the options it offers.) But switch it on where you can to give yourself the best shot at staying safe.<\/p>\n If a hacker has a phone number that\u2019s associated with some of your online accounts, they can sometimes circumvent two-factor requirements altogether\u2014which gets back to the problem of using phone numbers as identifiers in the first place. Disentangling yourself from those seven digits is hard to do at scale, but it\u2019s worth at least trying on especially sensitive accounts, or if you might be a high-value target.<\/p>\n \u201cIf there\u2019s one particular thing that you have that you know a thief would go after, like your bank account or your bitcoin holdings or your user name on social media, obviously keep that account separate from the rest of your online identity,\u201d says Nixon. \u201cIf you\u2019re extra paranoid, you can have a separate phone number, and keep that phone number secret. I know that\u2019s kind of over the top, but some people who try to protect themselves from this attack vector do try things like that.\u201d<\/p>\n For services that require a phone number of some sort on record, you can swap in a Google Voice number, for instance. But Wisniewski suggests that the added complexity it adds to your life might not be worth it for most people, especially since so many apps tie your account to the number associated with your phone. Which, again, gets back to the core problem.<\/p>\n \u201cThe challenge we have is these app developers need a universal identifier, and they\u2019ve just decided that the phone numbers as good as anything. We don\u2019t want national ID cards, and we don\u2019t have any central authentication authority,\u201d says Wisniewski. \u201cThey\u2019re struggling to find something they can use to identify you, and sadly they\u2019ve decided on the phone number, which is not incredibly secure.\u201d<\/p>\n The other step you can take, however pat it sounds, is vigilance. If your smartphone suddenly stops working, or messages stop going through, you know you\u2019ve lost your SIM. The sooner you act to preempt account takeovers from there, the better off you\u2019ll be.<\/p>\n