Today’s new was that Arron Banks’ account was hacked, exposing many private Twitter messages. It is reported that this was a SIM Swap attack.
What is a SIM Swap and how can it be avoided?
The SIM Swap attack
Someone gains access to your account without needing your password. How does it work?
- A hacker only needs to know your username (usually email address) and your mobile phone number. This is very easy as both of these are almost certainly freely available on the web or dark web. They can also very easily find your address, date of birth and various other personal details such as mother’s maiden name, place of birth, etc.
- They then pose as you to your mobile phone provider. They may have someone on the inside to help. The ‘lost SIM’ process is used, and a new SIM is created linked to your phone number and sent out (to them). They then intercept the new SIM in the post or do this directly at a phone store. This is not as difficult as it might sound, and skilled hackers can do this easily.
- The hacker now logs in as you and chooses the ‘lost password’ option. The provider then sends a text message to them on the new SIM with a code to confirm they are you, and they are in, without your password! They can also change your password and lock you out.
Practical Option 1 — Authentication app
Most sites now give you the option to use an authentication app on your smartphone (for example Google Authenticator) instead of the text to mobile phone option as the two factor authentication back-up.
This works better because the authenticator code is unique to your device and not linked to your phone number. To gain access a hacker would need to gain access to your actual phone. A SIM Swap would not work.
But there are two places where it does not work well:
- Some sites, even some major financial providers, do not offer the authentication app option and can only send text messages. So this method will not work on all sites.
- Some sites give the user the option of sending a code by text as a back-up method anyway, even if you use an authenticator app. Your Google account is an example of this. You can choose the option you want when you click the lost password option. So to make this secure, you also need to remove your phone number from your login account. That way a hacker cannot use that option.
This option works well but is not available on all internet sites where you want your personal data or financial data to be secure.
Practical Option 2 — Get a second SIM
If you have a dual-SIM phone as many Android phones are now, then you can set up a secret second phone number purely for these authentication tasks. This works because the hackers don’t know this phone number and therefore a SIM Swap attack would not work.
Some tips on doing this practically:
- Get a cheap pay-as-you-go SIM with a new phone number. This can cost as low as 10–20 dollars a year if you shop around
- Use this new secret phone number on the accounts you wish to protect more securely
- Don’t post this number anywhere else online to avoid someone picking it up and linking it to you.
- In the future, if you hear that one of the major sites with this phone number was hacked itself, then you can throw away that SIM and get a new phone number — just for extra safety
- This is most convenient on a dual-SIM phone, but clearly also works if you are prepared to carry around a second phone with the second phone number.
You are still exposed to hackers gaining access to your actual phone device and seeing the text messages, but this option should work on most sites.
- This article from Wired also has additional information on SIM Swaps and other suggestions.