SIM swaps are one of the biggest security threats we face, allowing criminals to access most services protected by two-factor authentication. The situation could be about to get even worse, as we learn of an apparent large-scale attempt to bribe T-Mobile and Verizon workers to facilitate the swaps.
While new rules and security features are supposed to make these attacks harder to pull off, now would be an excellent time to ensure your accounts are protected by authenticator apps rather than text messages …
What are SIM swaps?
SIM swap attacks are when someone manages to get your cellphone number assigned to a new SIM. This means that any calls or texts which should come to you instead go to the attacker.
This is especially problematic when services use text messages to send one-time access codes for two-factor authentication.
SIM swap attacks are usually carried out using social engineering, and can be laughably simple to pull off.
An alarming test carried out by Princeton shows that the five largest US carriers fail to properly protect their customers against so-called SIM-swap attacks. They were able to persuade the carriers to assign phone numbers to new SIMs without successfully answering any of the standard security questions […]
The method used was ridiculously simple: the caller claimed to have forgotten the answer to the primary security question, and then went on to claim that the reason they couldn’t answer questions about things like their date and place of birth is that they must have made a mistake when they set up the account.
These attacks work regardless of whether you use a physical SIM card or eSIM.
$300 bribes for SIM swaps
Another attack vector is to bribe carrier employees to carry out the swaps, and The Mobile Report found that someone is making a concerted effort to find new staff willing to do this.
According to multiple posts on Reddit, as well as separate individuals sending us tips here at The Mobile Report, T-Mobile employees from all over the country are receiving texts offering them cash in exchange for swapping SIMs.
The texts offer the employee $300 per SIM swap, and asks the worker to contact them on telegram. The texts all come from a variety of different numbers across multiple area codes, making it more difficult to block.
Bleeping Computer reports that Verizon staff have also received these texts.
While it was initially believed that these texts were only targeting T-Mobile employees, Verizon employees also stated that were receiving variations of the same text.
An FCC rule change in November of last year means that carriers are supposed to use more careful authentication procedures before implementing a SIM swap, as well as writing to the subscriber to let them know it has been done.
How can you protect against SIM swaps?
Verizon offers a Number Lock option subscribers can use to make SIM swaps more difficult, with T-Mobile having its own version known as SIM protection. However, the latter “does not prevent eSIM transfer on Apple devices,” according to the company’s own documentation. All the same, it’s worth enabling these.
But the most important step you can take is to always select an authenticator app as your two-factor authentication method, and to disable any text message option. iOS offers its own authenticator, and Google Authenticator is another popular option.
With these, you’ll be shown a QR code you scan with the app in your iPhone to add the service. The app will then generate a 6-figure code you’ll need after entering your password.
Photo by Brett Jordan on Unsplash
FTC: We use income earning auto affiliate links. More.
