Defenders: SIM card swappers on the rise, experts say
“All of a sudden... I couldn’t get access to any of my email accounts."
Gregg Bennett, an entrepreneur from Seattle, said he was a victim of SIM card swapping earlier this year. Without warning, he lost access to several email, financial and other accounts.
“(The hackers) got into my amazon account, my Evernote account, my Starbucks account. They were just messing with me.”
The scheme involves hackers convincing a user's phone carrier that their phone is missing, broken or requires a transfer for some other reason. Then, the carrier transfers the SIM card information from the user's original phone to another in the hacker's possession.
After the SIM is swapped, the user's phone is wiped and the hacker gains control. All of the user's texts and calls are then sent to the phone in the hacker's possession.
From there, passwords can be reset and the user's entire online identity is at risk.
After hackers swapped his SIM card, Bennett said he lost about $900,000 worth of cryptocurrency. "I was flabergasted," he said.
The hacking technique is becoming more popular, according to two computer science experts.
“The most common victim, in my experience, are the people that are not informed, the people who are actually sharing their precious information on websites," said Flavio Esposito, a professor at St. Louis University.
SIM swapping is not a new technique, according to Vijay Anand, a professor at the University of Missouri St. Louis, but its effects on individuals have become more severe because of the new ways people use their phones.
"We have tied our identity to our phone numbers in a very significant way over the last 5 years to 10 years," Anand said.
It's not clear how many people have been SIM swapped in recent years.
When asked how many had been affected, an official with Sprint said that information was not available. An AT&T spokesperson told ABC 17 News they were "not able to share information on the number of SIM scams reported."
A spokesperson with the Missouri Attorney General's office said they had not received any complaints describing the technique.
Another way for someone's phone to become hijacked is if there is a "rogue element within the (phone) company," Anan said.
"There is no incentive for a telecommunications company to disclose that they have received such an attack because that would jeopardize their reputation," Esposito said.
Watch an extended clip of the interview with Flavio Esposito below:
In a statement, an AT&T spokesperson recommended users avoid using phone numbers as a sole source of authentication.
"We are working closely with our industry, law enforcement and consumers to stop and prevent this type of crime. We have security measures in place to defeat fraudulent SIM swaps," the spokesperson said.
Although there's little one can do after being targetted, there are several ways to fortify your online security ahead of time.
Keeping information private offline, establishing a PIN with your phone carrier and using a variety of means for password authentication can all make it harder for hackers.
Overall, experts recommend making it harder for someone to pretend to be you.
"We also strongly encourage our customers to protect and regularly update their passwords, and never share account details, names, or other personal information with a third party without verifying the request came from a trusted source," said a Sprint spokesperson.
The Federal Trade Commission, and CTIA both have guides to prevent scammers from gaining unwanted access.
"It’s so far off in the background, you just don’t realize that it’s a real threat to me," Bennett said.
