Hackers Increasingly Use SIM-Swapping to Hijack Accounts

Last week, hackers took over the Twitter account of that company’s chief executive Jack Dorsey, using SIM-swapping, a technique that lets hackers access social media, email, financial accounts and other sensitive data. SIM-swapping, by which hackers take over the target’s phone, is being used to steal money and take over the “online personae” of celebrities, politicians and other notable people. In response, Twitter temporarily turned off the feature that allows users to send tweets via text message.

The New York Times reports that, according to security firm Flashpoint director of research Allison Nixon, SIM-swapping is an especially dangerous form of hacking. “It requires no skill, and there is literally nothing the average person can do to stop it,” she said.

It works when a criminal convinces a mobile phone provider to switch a phone number to a new device he controls. “Sometimes hackers get phone numbers by calling a customer help line for a phone carrier and pretending to be the intended victim,” says NYT. “In other recent incidents, hacking crews have paid off phone company employees to do the switches for them, often for as little as $100 for each phone number.”

With control of the phone number, the hacker asks Twitter, Google and other companies to send a temporary login code via text message, something “most major online services are willing” to do. Recent victims of SIM-swapping, in addition to Dorsey, include actor Jessica Alba, and online personalities Shane Dawson and Amanda Cerny.

So far, the only solution phone companies are offering is PIN codes that “a phone owner must provide in order to switch devices.” But some hackers have managed to get those codes by bribing phone company employees.

Santa Clara County, California deputy district attorney Erin West noted she lives in fear that she will get SIM-swapped. “It just doesn’t seem like the AT&Ts of the world are really doing anything to make it more difficult,” she said, adding that SIM-swapping cases have “become more frequent over the last year.” T-Mobile spokeswoman Paula Jacinto agreed that “account takeover fraud is an industry-wide problem.”

The Wall Street Journal reports that in the wake of actor Chloë Grace Moretz being hacked, Twitter was “probing security vulnerabilities at mobile carriers” in addition to pausing the feature that lets users send tweets via text message. The company pledged to “work to improve the linking of phone numbers used in two-factor authentication, a process intended to offer users more security when they log into their accounts.” It also stated it would reactivate the text message feature “in certain markets that rely on text-messaging for reliable communication.”

The hackers who took over Dorsey’s account posted “erratic and racist statements” and those who hijacked Moretz’s accounts posted “rambling and lewd language.” Twitter attributed Dorsey’s hack to “the security oversight to a mobile provider, which it declined to name.”