How to Protect Yourself Against SIM Swapping Attacks
The smartphone has become the central hub of our digital lives. We use them not just for communication, but to secure our online accounts, make financial transactions, and store our most private data. However, this reliance on mobile devices has given rise to a dangerous new threat: the SIM swapping attack.
The Anatomy of a SIM Swap
A SIM swap attack, also known as SIM hijacking or SIMjacking, is a form of identity theft that allows hackers to take over a victim‘s phone number. The attacker convinces the victim‘s mobile carrier to port their number to a SIM card in the hacker‘s possession, usually by impersonating the victim and claiming their phone was lost or stolen.
With control of the phone number, the attacker can then reset passwords and bypass two-factor authentication on the victim‘s accounts. Since many online services use SMS for account recovery, the hacker can simply request a password reset code be sent to the stolen number. They can then lock the victim out of their own accounts and gain access to everything from email and social media to bank accounts and cryptocurrency wallets.
What makes SIM swapping so insidious is that it requires little to no technical skill. "SIM swapping is not very sophisticated, it‘s just a modern version of a con," said Allison Nixon, Director of Security Research at Flashpoint. "Providers have different procedures. Some will accept a phone call, some require going into a retail store." [1]
The Scope of the Problem
The full scale of SIM swapping is difficult to quantify, as many cases go unreported. However, available data paints a dire picture:
- The FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping attacks in 2020, with adjusted losses of over $12 million. This represents a 500% increase in complaints from 2018 to 2020. [2]
- The FTC reported that there was a 146% increase in SIM swap frauds from 2013 to 2016. [3]
- In 2019, SIM swaps cost US consumers over $68 million in losses according to data from the Identity Theft Resource Center. [4]
- A 2020 Princeton University study found 17 of 140 online services, including Coinbase, Dropbox, and Instagram, allow password reset via SMS token, exposing them to SIM swapping. [5]
Cryptocurrency owners have been especially hard hit by SIM swapping in recent years. According to blockchain analysis firm Chainalysis, around $1 billion in cryptocurrency was stolen via SIM swaps in 2019, much of it siphoned from individual wallets. [6]
Year | Cryptocurrency stolen via SIM swaps |
---|---|
2017 | $30 million |
2018 | $200 million |
2019 | $1 billion |
Data: Chainalysis
How SIM Swapping Exploits SS7 Flaws
At a technical level, SIM swapping takes advantage of long-standing vulnerabilities in the SS7 protocol that mobile networks use to communicate. SS7, which stands for Signaling System No. 7, is a set of telephony signaling protocols developed in 1975 that allows phone networks to exchange information needed for passing calls and text messages between each other.
The problem is that SS7 was designed without proper authentication safeguards. Any actor on the SS7 network can query information about a target‘s account, including the numbers needed to request a SIM swap. [7]
"The issue with SS7 is an issue of trust," explains Karsten Nohl, a security researcher known for his work uncovering SS7 flaws. "Any evil operator in the world, any of more than 800, can send a message to the network and it has to be accepted." [8]
While carriers have implemented some measures to defend against SS7 abuse, such as firewalls and machine learning systems to flag suspicious activity, researchers continue to demonstrate bypasses. At the 2020 Pwn2Own hacking competition, a contestant used an SS7 exploit to intercept two-factor authentication codes sent via SMS in near real-time. [9]
Developer Tools to Mitigate SIM Swaps
For developers building authentication systems, relying on phone numbers and SMS alone is no longer sufficient given the ever-present threat of SIM swapping. Here are some key technologies and practices to harden your login flows:
- FIDO2 and WebAuthn: These open standards enable password-less authentication using public key cryptography. Users register their device (such as a hardware security key or biometric sensor) with a service, which can then challenge the device to prove possession of the private key. FIDO2 is phishing-resistant and does not depend on phone numbers, making it immune to SIM swaps. [10]
- Time-based One-Time Password (TOTP): TOTP, which is used by authenticator apps like Google Authenticator or Authy, generates a short-lived code based on a secret seed and the current time. It provides a second factor not tied to the user‘s phone number. Implement TOTP using libraries like Speakeasy for Node.js or PyOTP for Python.
- Secure Remote Password (SRP): SRP is a password-authenticated key agreement protocol that allows for secure authentication over an untrusted network. Unlike typical password auth, the server does not store password-equivalent data, only a verifier. Implement SRP using libraries like srpforjava or srp-rb.
- Hardware Security Keys: For the highest level of assurance, require use of a physical security key implementing the FIDO U2F or FIDO2 standards. Google requires them for all employee accounts and has had zero successful phishing attacks since. [11]
While not all users may have hardware keys, supporting them provides an additional protection for your highest risk accounts. Libraries like fido2-lib or python-fido2 make implementation straightforward.
The Future of Mobile Identity
In the long run, the telecom industry recognizes that relying on phone numbers as identities is untenable. Several initiatives are underway to build a cryptographically secure mobile identity solution:
- ZenKey: A joint venture by AT&T, Verizon, and T-Mobile that uses the SIM card as a hardware root of trust. Users can authenticate to applications with a biometric or device PIN which is validated by the SIM. [12]
- Project Verify: A similar effort by Sprint (now T-Mobile), providing a device-based, password-less login secured by the SIM. [13]
- Blockchain-powered identities: Storing user identities on a public blockchain would provide a decentralized alternative to carrier-controlled schemes. Projects like Blockstack ID and uPort are exploring this approach.
Ultimately, the goal is to abstract identity away from mutable attributes like phone numbers to cryptographic keys provably linked to the user‘s device. This would make SIM swaps largely irrelevant, as stealing a phone number would no longer provide access to the user‘s identity.
What You Can Do Right Now
Until those next-generation solutions are widely deployed, the burden is on the user to protect themselves against SIM swapping. In addition to common tips like using strong unique passwords and PIN-locking your carrier account, here are some key steps to take:
-
Enable non-SMS based two-factor on all important accounts. Authenticator apps and hardware security keys are not vulnerable to SIM swapping. Avoid using SMS as a second factor if possible.
-
Don‘t use your phone number as a recovery method. If you must associate a number with your accounts, use a separate Google Voice or Skype number that isn‘t tied to your SIM.
-
Be selective about sharing your phone number. Treat your phone number like your Social Security number. Don‘t post it online or give it out unless absolutely necessary. The less widely available it is, the harder it is to SIM swap.
-
Use a password manager. Password managers like 1Password, LastPass, or Dashlane make it easy to use unique, strong passwords on every site. Importantly, they also mean you‘ll never lose access to your passwords if your phone number is stolen.
-
Be aware of phishing and vishing scams. SIM swappers sometimes try to trick targets into revealing account details via phony tech support calls or phishing links. Be extremely wary of unsolicited calls or messages claiming to be from your carrier.
The Stakes Are Too High to Wait
The consequences of a SIM swapping attack can be devastating. Victims report losing their entire life savings, being locked out of email and social media accounts, and having sensitive information exposed. Some have even had their identity used to commit crimes in their name.
For businesses, the financial and reputational costs can be immense. The cryptocurrency exchange Bitfinex reportedly lost $30 million in 2019 as a result of SIM swaps that intercepted internal communications[14]. Twitter suffered a high-profile breach in 2020 in which 130 celebrity accounts were taken over to spread a crypto scam, all facilitated via SIM swap[15].
For the cryptocurrency industry in particular, solving the SIM swapping threat is existential. Mainstream adoption of crypto cannot take off as long as user funds can be so easily stolen. No one will trust their retirement savings to Bitcoin if owning it means their phone becomes a $500,000 liability.
Developers and platforms must treat security as a first-class requirement, not an afterthought. Implementing phishing-resistant authentication methods like U2F and WebAuthn should be a top priority for any application handling sensitive data. It‘s time to take our identity out of the hands of the telcos and back into the hands of the user.
The smartphone may be the key to our digital lives, but as long as that key can be stolen by smooth-talking a minimum wage call center employee, we‘ll never be truly secure. The future of identity is decentralized, cryptographically assured, and in your control – not the SIM card. Let‘s build it together.