Understand your needs
Improve our services
Deliver personalised content
Save your preferences
Analyse visitor interactions
Your consent is voluntary – you can always change you cookie settings here.
You did everything right. Your accounts had strong passwords, you never clicked on random links, and you had two-factor authentication set up. But you still wake up one morning to find that you’re locked out of your email and your bank account is empty.
Jul 19, 2019 · 4 min read
This has happened to people who’ve fallen victim to a SIM swapping (or SIM jacking) attack. Criminals use this attack to take over someone’s phone number by transferring it to their own SIM card.
SIM swapping was especially widespread in 2017 and 2018. However, new attacks were reported in recent weeks and the victims lost large sums of money.
Unfortunately, this attack that costs its victims thousands of dollars is relatively easy to carry out. The attacker calls your mobile provider and asks them to transfer your SIM card to a device that they control. This usually happens late at night so the victim doesn’t realize they’ve lost their mobile service or brushes it off as a minor tech issue and goes to sleep.
While you are asleep, however, the attacker uses your phone number to reset your email password. They receive a 2FA verification code and gain access to all of the accounts associated with the primary email.
It seems that neither T-Mobile nor AT&T (both of whose customers were repeatedly targeted in SIM swapping attacks) have any serious security measures in place. AT&T’s guidelines do state that you can create a password for your account. However, employees will not always ask for it.
T-Mobile suffered a data breach in August 2018. Hackers stole over 2 million people’s information. The data did not include anything particularly valuable, like financial information. Instead, it served a different purpose.
It contained T-Mobile’s clients’ billing information, which is enough to perform a SIM swap: account number, name of the holder, and their address. Even if you have a pin or password set up, the attacker can get away by just claiming that they forgot it.
This attack is not new or particularly complicated, but mobile providers don’t do anything to stop it. It’s up to users to protect their accounts.
We want to trust our mobile providers, but even after these incidents were widely reported, neither AT&T nor T-Mobile implemented any new security measures. However, there are some things you can do to protect both your SIM card and online accounts from potential cyber attacks.
Want to read more like this?
Get the latest news and tips from NordVPN.