Sim hijacking or “port-out” is a scam you probably haven’t heard of, but recently there has been an alarming rise in this scam where malicious attackers steal your phone number.
You may ask yourself, what do malicious attackers want with your phone number? The reality is that phones have become a way of authenticating who we are. What this means for you is: if malicious attackers can steal your phone number, they will be able to get into any online account that uses your phone number to authenticate, this can include What’s App, Telegram and Instagram accounts.
This scam is called porting out, due to the concept of porting a number from one carrier to another, it also goes by the names of SIMjacking, SIM swapping or SIM hijacking. The scam relies on malicious attackers to trick your phone carrier’s tech support.
The scammer will usually start by sending out phishing and spear-phishing emails to a prospective victim. Often the criminals have purchased private information on a victim, making the spear phishing campaign seem more legitimate. They are often looking for possible answers to security questions. The malicious attacker then calls the victim’s carrier, posing as the customer, to report their phone was lost or damaged. Provided the scammer can correctly answer the victim’s security questions, the old SIM card is cancelled, and the number is ported to a SIM in control of the malicious attacker. From there the scammer can intercept mobile money transfers, get access to What’s App, Telegram and other social media sites that use a phone number for authentication – usually a code sent by text message. Instagram accounts are one of the primary targets of this scam. There’s a growing black market for control of stolen social media accounts and gaming handles, with popular accounts going between $500 and $5, 000 – recently an Instagram account sold for roughly $40,000 in Bitcoin, according to people involved in the trade. Speaking of Bitcoin, many cryptocurrency wallets are held on mobile apps that also authenticate via text message. Cody Brown, the founder of IRL VR, a virtual reality production studio based in New York, lost more than $8,000 in Bitcoin within 15 minutes of hackers taking over his phone, which they used to hack into his email and his Coinbase account.
More disturbingly, once these scammers have control of a victim’s accounts, they can change the passwords, locking them out of their phone, bank and emails. This intrusion can make it extremely difficult for victims to regain their life.
Telecom companies have known of the scam for many years, but this is an extremely tricky scam to fight against for the Telecom providers. The good news is that there are some things you can do to protect yourself:
Beware of phishing emails, unsolicited calls and texts asking for personal information or financial information. These emails, calls and texts might seem to be from a reputable company – they might even already know some of your private info to lure you in a false sense of security.
Ensure your software is up-to-date. Many software patches for your operating system, web browsers and other software include security patches that help protect against malicious attackers. An anti-virus (such as Sophos) can help protect you from having personal information stolen, and used against you.
Be careful of what personal details you share on social media accounts; malicious attackers will look at your social media to find answers to your security questions.
Look into a 2FA that doesn’t use a phone call or text message to authenticate. Google Authenticator and Authy can add extra layers of protection and provide a secure authentication that cannot be exploited by SIMjackers.
Contact your mobile phone provider (Bell, Telus, Rogers, etc.) to find out what extra security measures they are taking to prevent Port-outs. Many service providers will let you add a custom passcode to your account that will be needed to make significant changes to an account, such as porting a number.
If possible, remove your cell phone number from an account that could be of interest to a hacker, such as your email. It is recommended you add a VoIP number, which is SIMjacking proof, to accounts you would like to use text or phone-based 2FA (two-factor authentication). Google Voice is a free phone number which is perfect for this application. Make sure you use a secure password and 2FA.