It was a shock in August when Twitter CEO Jack Dorsey’s Twitter account started sending out racist Tweets. He’d been hacked, of course, but perhaps the biggest shock of all was how easy it was — @jack was the victim of simple SIM card swapping.
SIM “hacking” isn’t new — it’s basically cellphone hijacking — but it’s become much more important of late, for a whole host of reasons. The biggest: Our smartphones have become our new passwords, so criminals who can control the gadgets can control our digital lives.
We’ve spent years (rightly) pushing consumers towards two-factor authentication, but as so often happens in the world of security, we’ve traded one problem for another. We all agree that Social Security numbers make terrible passwords, so we’ve switched to phone numbers now. And the fallout is just beginning.
Everyone who’s ever upgraded their cellphone at home knows what a SIM card swap is. You tell your mobile provider to send your calls and texts to your new phone, rendering the old one useless. This can involve the literal swapping of a SIM (subscriber identification module) card. Today, it often happens via software and over-the-air updates. Easy enough.
The problem occurs when a criminal convinces a mobile provider to “upgrade” your phone to a phone that the criminal controls. That means the criminal is now able to intercept all calls and text messages headed to you. Big problem. If your bank is looking to authenticate you with a six-digit code at login, well, there goes that security method. And if you are the CEO of Twitter, a SIM card swap hack can give criminals a chance to publicly embarrass you.
It should also make you think: Wouldn’t Twitter Jack have pretty tight controls on his account? Yet still criminals were able to access it? Can you think of anyone else with a high-profile account that would make a juicy target for hackers?
You are a juicy target, too. I’ve written a lot about theft from Zelle and other P2P payment accounts recently. Some victims have no idea how it happened, leading me to imagine that in some cases, SIM card swapping could be at play. Really any account that relies on an SMS text message for login could be a target.
If you are a smartphone owner, this should make you personally nervous. Think of all the things criminals could do if they could access your text messages.
Mobile providers are trying to fix this problem, but they are a long way from having a great solution. In the meantime, you have to act to protect yourself. I’m really glad Liz Weston wrote about this recently for the Associated Press and NerdWallet. You should read her story in the Washington Post, which includes a few thoughts from me.
But here’s my need-to-know information for you:
- Know the signs: If you are the victim of a SIM swap, your handset suddenly won’t work. Texts won’t go through. That might look to you like you just hit a spot with no cell signal, but your phone won’t show a weak signal: It’ll show no signal. If this happens, be on heightened alert. Maybe it’s a false alarm. But now you know that maybe it’s a sign you’ve been hacked. Now, time is of the essence. Criminals aren’t doing this for fun, they are doing this to steal money.
- Have an emergency plan: If your phone is hacked, it won’t work. So, you can’t count on calling customer service to ask what’s wrong. Your phone won’t work! Do you have a second phone, or quick access to one? Do you know how to tweet at or email customer service, or use Skype from a laptop? When a SIM hack happens, you need to reach out to your mobile provider fast. Have a plan for that.
- Be ready to teach customer service: When you reach an operator at your mobile provider, don’t count on him or her knowing what’s going on. SIM swapping is still new to some of them. You might have to teach them what it is. Keep this story handy, or Liz Weston’s story. Send them to my website. The quicker you get past front-line customer service to a knowledgeable operator, the less time hackers will have to root around your digital life.
- Use an authenticator, not SMS: Two-factor authentication is good. But using SMS/text messages as that second factor isn’t great. Many sites allow use of a token generator, like Google’s Authenticator app. That’s a much safer way to protect your accounts than text messages. Make the switch now, while you’re thinking about it.
- Consider adding a PIN code: Yes, another one. To your mobile account.
More from Bob Sullivan:
- “Is Alexa listening to my conversations?“
- “The Gretchen Rubin interview on tech and happiness“
- “So, Bob podcast — We’re back for season 2“
What’s your take on this news? Sound off in a comment below or on the Money Talks News Facebook page.