Sim-Swap experience

January 8, 2020

Last evening as I about to logoff from work , I saw the suspicious activity mail on my personal accounts. The phone stopped working and I couldn’t make any calls\receive text. This is when I realized something was wrong.. There have been similar attempts in the past and unauthorized access was restricted due to the security measures on the accounts..

SIM swapping is possible when someone requests for a new SIM from the provider. However, the user will have to share the personal PIN with the Customer care representative or make them believe that they are the primary account holder on the account . Speaking to T-mobile customer, it was clear that the error was on their part and someone was able to bypass the security measures and replace the SIM. It’s unfortunate that they bypassed the PIN requirement and believed in the bogus story of the caller.

So how do scammers pull off a SIM card swap like this?

*They may call your cell phone service provider and say your phone was lost or damaged. Then they ask the provider to activate a new SIM card connected to your phone number on a new phone — a phone they own. If your provider believes the bogus story and activates the new SIM card, the scammer — not you — will get all your text messages, calls, and data on the new phone.
The scammer — who now has control of your number — could open new cellular accounts in your name or buy new phones using your information.
*

*SIM Swapping is not limited to a specific provider. However, there are reports on how users had their sim swapped on more than one occasion.
*

Trying to put this together, it looks like the hacker may have gained access to the account\phone number from the dark web and already pawned websites.

The website Have I been pawned” can be used to verify if an email account was comprised.

Below accounts were reported as comprised:

*There was an email last month from the Gatehub team that account comprised. However, I didn’t give it much attention as the account(s) were no longer used. I thought it was OK to leave them as-is and was planning on de-activating the accounts at a later time. The unauthorized user was able to identify the phone number and also the email accounts associated.
*

Below attempts were made almost at the same time

The unauthorized user convinced the T-mobile customer care with a bogus story and got the SIM Swapped (~5:30pm on 1/6/2019).

The unauthorized user changed the password on the personal account(outlook) as there was 2FA as text enabled on the account

The unauthorized user was able to change the password on another account(yahoo) using the same approach.

The unauthorized user was able to change password for the coinbase account. This also had a 2FA with AUTHY and text

Account recovery Approach:

Called T-mobile customer care from a different line and requested them to stop the SIM SWAP request. The first thing they asked was the personal PIN.. The unauthorized user also managed to change the personal PIN on the account. The next step was to prove that I’m the primary owner and they asked if they can send a temporary pin to the email linked to the account.. I thought for a sec and then realized that the personal account is no longer available as the unauthorized user has already changed the password. As I still had access to the phone and was able access the Authentication apps installed on the phone. I was able to quickly recover the personal account using the authentication code from the app. I added more than one recovery option on the accounts and 2FA as text was only used for backup purposes. The T-mobile customer care was able to re-instate the SIM back to the number.

Thanks to Tiffany Hayden as she warned users on the SIM-SWAP hack. She also shared how her SIM was swapped twice even after all the T-mobile Fraud protection.. You can read more from this thread:

What can you do?

Check with the Carrier(AT&T, T-mobile, etc..)

Check if there were any attempts to replace the SIM.

Have a permanent block on the account

Future SIM replacement requests will be redirected to the Fraud protection team. This however is a problem if someone wants to replace a SIM.

Enable Two-Factor authentication on all accounts(Even though accounts are not used).

**2FA with text is a weak security measure
**Use Google voice if the website doesn’t offer any other option and SIM SWAPs will not be possible.

2FA with identity pass code would be more secure

Install the Authenticator apps from playstore/appstore. Microsoft Authenticator / Google Authenticator

FIDO U2F

*U2F has been successfully deployed by large scale services, including Facebook, Gmail, Dropbox, GitHub, Salesforce.com, etc. You can also secure the accounts using anyYubiKeyproducts.*

**Verify if the accounts have been compromised and take action.
**Refer to the website: https://haveibeenpwned.com

Credit Karma LifeLock Other credit monitoring service.

Chrome password manager Onepassword Other password manager

Request a credit freeze

*This way the unauthorized user wont have access to the credit reports and will not be able to open new accounts.
The credit freeze can be initiated online and it would only take few mins to freeze the account. If there is an error, the request can be initiated via phone.
*

Equifax Equifax.com/personal/credit-report-services 800-685-1111

Experian Experian.com/help 888-EXPERIAN (888-397-3742)

Transunion TransUnion.com/credit-help 888-909-8872

Do not store Virtual Currency\Crypto in online wallets:

If you own any virtual currency, move them out of the online exchange\wallets.Remember, you are the bank and there are still lots of issues with the online wallets. Invest in hardware wallet like the Nano Ledger and secure the passkeys. Dont live any trace online even if own a small amount.

The presence of mind and timely help by others was useful and I was able to limit Sim-Swap damage. Stay safe everyone.

**Disclaimer:
**This may not be perfect solution.. However, this can help someone who hasn't secured the accounts or is in the process.