Written by Nathaniel Popper
When hackers took over the Twitter account of Twitter’s chief executive, Jack Dorsey, last week, they used an increasingly common and hard-to-stop technique that could have given them complete access to his digital activities, including social media, email and financial accounts.
Called SIM swapping, it allows hackers to take control of a victim’s phone number. In recent months, SIM swapping has been used to hijack the online personas of politicians, celebrities and notables like Dorsey, to steal money all over the world and to simply harass regular people.
Victims, no matter how prominent or technically sophisticated, have been unable to protect themselves, even after they have been hit again and again.
“I’ve been looking at the criminal underground for a long time, and SIM swapping bothers me more than anything I’ve seen,” said Allison Nixon, director of research at security firm Flashpoint. “It requires no skill, and there is literally nothing the average person can do to stop it.”
How a Sim Swap Works
Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control.
The number is switched from a tiny plastic SIM card, or subscriber identity module, in the target’s phone to a SIM card in another device.
Sometimes hackers get phone numbers by calling a customer help line for a phone carrier and pretending to be the intended victim. In other recent incidents, hacking crews have paid off phone company employees to do the switches for them, often for as little as $100 for each phone number.
Once the hackers have control of the phone number, they ask companies like Twitter and Google to send a temporary login code, via text message, to the victim’s phone. Most major online services are willing to send those messages to help users who have lost their passwords.
But the temporary code is sent to the hackers.
Phone companies have been aware of the problem for years, but the only routine solution they have come up with is offering pin codes that a phone owner must provide in order to switch devices. Even this measure has proved ineffective. Hackers can get the pin codes by bribing phone company employees.
“It just doesn’t seem like the AT&Ts of the world are really doing anything to make it more difficult,” said Erin West, a deputy district attorney in California’s Santa Clara County who is a member of a law enforcement task force focusing on the problem. “I live in fear that I will get SIM-swapped because it’s not that difficult.”
No American authorities are keeping statistics on the frequency of the attacks. But West and others who are tracking cases said they have become more frequent over the last year.
“Account takeover fraud is an industrywide problem,” said Paula Jacinto, a spokeswoman for T-Mobile. “We use a number of safeguards to help protect against this crime and offer customers a variety of options to help them protect their own information.”
Who Has Been Hit?
It is difficult to ascertain how many mobile phone users have been hit by a SIM swap. But people around the world, from Kenya to Hollywood, have complained about it.
In recent weeks, the most prominent targets have been celebrities like Dorsey, actress Jessica Alba and online personalities like Shane Dawson and Amanda Cerny (her second time). The hackers used the accounts to post offensive messages to millions of followers. They also gained access to private communications.
Matthew Smith, who owns an internet-focused design studio in South Carolina, has been hit by SIM swappers four times — three times this year alone. Hackers had long wanted his Instagram handle, @whale. That made him a target.
Every time the attackers have gained access to his social media and email accounts, Smith’s phone provider, T-Mobile, has assured him that it has put additional measures in place to protect his account. While he has managed to get back his social media accounts, he has not regained access to two Google email accounts that held years of communications.
In the most recent incidents this summer, after the attackers got into a new email address, they contacted Smith, his family and his friends to threaten him and his children with information from his accounts.
“It feels sickening,” Smith said. “It feels like everything you own, and you thought was safe and yours — that someone is playing with that like it is a toy.”
T-Mobile said it would not comment on specific customers.
Victims have complained that after the attacks, they have struggled to get help from their phone companies or to even get someone on the line at a phone company who understood the problem.
When recording artist King Bach lost and then regained control of his phone number in late August, he posted an angry video on Twitter in which he said he had spent hours on the phone with AT&T.
“The customer service is trash,” he said. “I couldn’t get no help.”
AT&T did not respond to numerous requests for comment.
Progressing from Pranks to Theft
SIM swapping became popular in the hacking community years ago. Attackers were mostly interested in taking control of rare or iconic social media account names, like a Twitter or Instagram account with just one name.
But hackers soon realized they could gain access to more than social media accounts.
In 2016, SIM-swapping gangs started targeting cryptocurrency holders. Unlike traditional bank transactions, once virtual currency is moved to a new address, the transaction cannot be reversed. U.S. bank accounts have been less vulnerable to SIM swapping because banks will generally reverse any criminal transactions.
Over the last year, law enforcement officials have arrested some of the gangs stealing cryptocurrency. For the first time, a hacker was sent to jail and is serving a 10-year sentence.
The number of online crews focused on SIM swapping has been growing, researchers said, as has the range of victims and the type of accounts.
In Africa, gangs have used SIM swapping to target financial accounts tied to mobile phone providers, like the popular MPesa service in Kenya. South African officials said there were over 11,000 incidents there last year, triple that of the year before.
Security experts have recommended that companies stop using phone numbers to help customers recover accounts.
“This is a technology problem because we are using a very old technology that is not designed to be secure to send secure codes,” said Fabio Assolini, a security research at Kaspersky Lab, who lost his own phone number in a SIM-swapping attack last year.
Twitter said Wednesday that it will stop allowing some users to post updates via text message, which made it particularly easy for SIM swappers to access Twitter. But that will not stop hackers who use the SIM swap to log into a victim’s Twitter account. (Twitter said it is working to improve this.)
Security experts are worried that hackers could step up their attacks and use the method to go after even higher value targets. Several Brazilian politicians have recently had their phones and social media applications compromised.
“SIM swapping is proliferating, and it is going to keep proliferating until companies deal with this,” Nixon said. “This is a known issue at this point. There is not really any excuse.”