INTRO: What is SIM-jacking?

Sim-jacking is an attack in which your phone number is migrated away from your SIM card / phone to a different SIM card / phone that an attacker controls. The attacker then uses this access to your phone number, usually via text message, to gain access to your other internet accounts. They do this by “recovering” access to an account (e.g., Google) or in conjunction with other information or access they have (e.g., using a previously leaked password + SMS 2FA).

“But I'm not famous / wealthy enough to have this happen to me!”

If you are reading this article, we guarantee that you are a potential victim of this attack. It doesn't matter how "famous" you are or how well-known or little-known you are. While there are certain actions that may make you a bigger target, we have seen far more people with increasingly smaller profiles falling victim to these attacks lately.

Why? The ROI for attackers getting their hands on your crypto is huge. Crypto is very unique — it's decentralized, it can be easily anonymized, and it has real monetary value. This attack is relatively easy, requires no code, and is becoming increasingly reported upon, inspiring more and more attackers to give it a shot.

Basically you right now.

In addition, your cryptocurrency isn’t the only thing that can be stolen. 2019 saw a transition from stealing crypto to stealing sensitive data, such as business documents, personal information, or other data. The SIM swappers no longer need to rely on directly stealing funds—they can also succeed via extortion.

Lastly, all the information an attacker needs in order to socially engineer a mobile phone provider's support representative is readily available via social media or sites like TruthFinder. Because most people (including possibly you) don’t realize the consequences of gaining unauthorized access to one’s phone number, it’s an area that is not secured in the same way other things can be secured.

All of the above results in more people attempting more attacks with more success. In turn, it's not just famous people, the "top 100 influencers," or high-profile traders who are under attack. It's anyone and everyone who is involved in crypto.

You are at risk. Accept this. Take action now before it is too late.

How do they get your SIM / phone number?

One of the reasons SIM-swap attacks have been so successful is that many mobile phone carrier representatives are extremely easy to socially engineer. An attacker can call up your phone provider’s support line, pretend to be you or another authorized party, and spin some story to get the support agent to transfer your number to the attacker's SIM. If they run into any friction, the attacker hangs up and immediately tries again with the next support agent.

While this shouldn’t be possible, especially if you have a PIN number or other protection enabled, it still is. Unfortunately, there is no fool-proof way to prevent your phone number from being ported.

Support agents aren’t trained on this type of attack and are able to migrate your phone number, regardless of the information “you” provide or don’t provide. 99% of their calls are from people who legitimately broke their phone or got a new phone and need this action taken. Support agents are typically paid next to nothing and their performance is judged by computers. There is little incentive for them to protect you from an attack they know nothing about, and a high incentive for them to help "you," keep "you" happy, and keep their average call times down. To make matters worse, any notes on your account are not prominently displayed to support agents and are completely inaccessible to them if you have an additional PIN / password on your account.

Yup, that’ll solve it.

How do you know if you’ve been SIM-swapped?

You may receive a call or text from your phone carrier’s support agent if the attacker disconnects in order to try again. Typically they’ll say something like, “Sorry we got disconnected...” Don’t ignore this! They were just talking to someone who was pretending to be you.

You will suddenly and unexpectedly have NO cell reception. None whatsoever. Restarting your phone doesn’t resolve.

You may have notifications that came through before your phone lost service or if you still are connected via Wi-Fi, like emails from your phone carrier or password reset emails from various services.

You may have a system notification stating that you can no longer access a phone-level account (like your Apple ID or Google account) and need to re-enter your password.

On Android, you may have a “this account was added to a new device” notification.

On iOS or your Mac computer, you may have a "are you attempting to log in from Los Angeles, California?" pop-up.

If you use any non-SMS 2FA mechanisms that have push notifications (e.g., Microsoft Authenticator, Apple), you may have a “here’s the code you requested” or “are you trying to log in?" notification.

What happens once they get your SIM?

They start “recovering” access to your accounts one-by-one, gathering data, personal information, passwords, and a list of products and services you use as they go. Let’s look at one SIMple example. Keep in mind, this is not a comprehensive look at what an attacker could do to you.

An attacker successfully gets your phone number on their device, allowing them to receive all your incoming text messages and phone calls. The attacker attempts to log in to your primary Google account and clicks “Forgot password?” The attacker clicks “Try another way” until they get to the “Get a verification code sent to (XXX) XXX-XXXX” screen. The attacker receives the SMS sent to your phone number that they now control and successfully resets your password and gains access to your Google account. The attacker changes your phone number and recovery email to ones that only they control, ensuring you cannot easily regain access to your account. The attacker looks through your email and sees emails from Coinbase and Kraken. The attacker goes to these exchanges, clicks “Forgot Password?,” and enters your email address (that they now control). The attacker withdraws all your crypto from your exchange account to their own crypto addresses (approving all trades and withdraws because they have access to your email and text messages). The attacker buys more crypto with any USD holdings you have, linked credit/debit cards, or linked bank accounts. If these transactions are processed before you regain access to your Google or exchange accounts, your bank account will be emptied, sold for crypto, and in the attacker’s sole control.

Note: because the attacker has access to your email and SMS, they are able to intercept and then delete any emails or texts regarding your new password or withdrawals. This means you may not realize which accounts have been accessed or emptied until much, much later.

Needless to say, it is incredibly damaging, especially if a bad actor is able to take over a critical account—think Google, Apple, or your password manager—that allows them to gain access to other accounts.