A SIM card swap is a scam in which hackers steal your mobile identity—and use it to spend your life.
SIM swap happens when someone convinces your carrier to switch your phone number over to a SIM card he or she owns. By doing this, scammers can get your incoming messages, and easily complete the text-based two-factor authentication checks that protect your most sensitive accounts.
The same SIM attacks appear to be behind a recent string of Instagram takeovers, as well as the very unfortunate, not great time when a hacker posted Justin Bieber nudes from Selena Gomez’s account last year.
This week a cryptocurrency investor claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens; for that he’s using his carrier, AT&T, for 10 times that amount.
We have to fundamentally rethink the role of phone numbers in 2018 because phone numbers were never intended to be a way to confirm someone’s identity and phone companies were never in the business to sell identity documents.
These are the steps you can take to limit the chances of a successful SIM swap attack.
Use a PIN
Every major carrier offers you the option of putting a PIN or a passcode on your account, so take advantage of it.
On AT&T, you can set up a “wireless passcode” that’s four to eight digits long by going to your profile, then Sign-in info, then Get a new passcode. You should also add what the carrier calls “extra security,” which just means it’ll require the passcode to manage your account online or in a retail store. You can find that by going again to Sign-in info, then Wireless passcode, and checking Manage extra security.
Verizon actually requires a PIN, but to set yours up or change it, head to this site, then sign into your account. Enter the PIN of your choice twice, click Submit, and you’re done.
For T-Mobile, you have to call instead; dial 611 from your mobile phone and ask to add “Port Validation” to your account, which lets you choose a six to 15 digit PIN. On Sprint, sign into your account, click on My Sprint, then go to Profile and security. Scroll to Security information, and update your PIN there.
Use another Two-Factor Authentification option
Getting your two-factor authentication codes over SMS is better than nothing, but it won’t help at all if a SIM swap hits. It is better to use an authentication app instead.
Apps like Google Authenticator and Authy give you that extra layer of security like SMS-based two-factor does, but they also tie it to your physical device rather than the number the phone company assigned to you. They show you a six-digit code that updates every 30 seconds or so, and stays in constant sync with whatever service you connect them to.
If you want even better security, opt instead for a physical authentication method, like a Yubikey.
Do not link phone numbers to your online accounts, they can sometimes circumvent two-factor requirements altogether—which gets back to the problem of using phone numbers as identifiers in the first place. Disentangling yourself from those seven digits is hard to do at scale, but it’s worth at least trying on especially sensitive accounts, or if you might be a high-value target.
For services that require a phone number of some sort on record, use a Google Voice number, for instance.