Can we hack a number?
Since practically everyone now has a cell phone or smartphone and always has it with them, mobile devices are increasingly being used to verify personal identity, especially through online services. To do this, a one-time passcode is sent to the user's cell phone via SMS or Voicemail. They then have to enter the code for authentication on a website or app, possibly as part of multi-factor authentication (MFA) or to restore an account.
This is a user-friendly and supposedly safe method. But the fact that most users have their cell phone numbers linked to bank, email and social media accounts also attracts attackers. If you gain access to someone else's cell phone number via SIM swapping, you can use it for a number of criminal purposes. An attacker receives all SMS and calls forwarded or can text or - for example chargeable services abroad - call them himself.
He is also able to usurp (almost) the entire online presence by hacking accounts for which cellular-based authentication (e.g. Twitter) or password recovery is possible - including, for example, Gmail, Facebook or Instagram. Prominent victims include Twitter co-founder and CEO Jack Dorsey and actress Jessica Alba: Their Twitter accounts were hacked via SIM swapping in order to subsequently send offensive posts on the platform.
It becomes expensive if the victim uses the mTAN or smsTAN procedure to approve online transfers, i.e. the bank sends the transaction number to the customer via SMS. If the hacker also has the access data for online banking, he can conveniently empty his victim's account from home. A report from the Central Cybercrime Bavaria office documents that this method is not only used across the pond, but also in this country. In mid-2019, they arrested a trio of criminals who obtained SIM swapping access to at least 27 third-party bank accounts and made transfers.
How SIM swapping works
The preferred method for hijacking a cell phone number is SIM swapping, SIM swapping or SIM hijacking. SIM swapping is usually done via the customer portal or the customer hotline of the mobile phone provider. There the hacker pretends to be his victim and applies for a new SIM, for example because his mobile phone and SIM card have been lost or because of the format no longer fits the new smartphone. Or he cancels the contract and applies for number portability / number porting to the new provider.
In both cases, it is of course not enough to just state the mobile phone number; the hacker has to provide additional personal information about the victim, such as date of birth, address or customer password - data that he obtained from social networks (social engineering), received via phishing emails or bought on the darknet. When calling the service center of the mobile phone provider, with a little persuasion, more easily accessible data can be sufficient for the employee to comply with the change request despite the lack of legitimation.
With conventional SIM cards, the attacker then has to obtain the physical SIM, for example by intercepting the letter from the cell phone provider or by providing a different address. This is easier with an eSIM, which supports the last two smartphone generations from Apple and Google: Here, the built-in chip is described electronically with the eSIM profile.
Has your cell phone number been stolen?
If SMS sending, cell phone calls and mobile data connections are suddenly no longer possible, this can be an indication that the phone number may have changed hands. It is more likely, however, that you are simply in a dead zone or that there is a technical malfunction in the cellular network.
It is clearer if suddenly you can no longer access various services or if you register unusual processes on your account. Since many attackers are nocturnal, the problems are often not noticed until the next morning - by then it is usually too late.
How to protect yourself from SIM swapping
When it comes to protecting against SIM swapping, there are many tips that also help with other scams on the Internet:
Use an up-to-date operating system with the latest security updates and - where it makes sense - antivirus software.
Do not use a uniform password for different online services, but rather an individual code that is sufficiently long and complex.
Enable two-factor authentication as an additional component of secure passwords.
Occasionally check to see if there has been a data breach in any of the services you use and your data has fallen into the wrong hands. The Identity Leak Checker from the Hasso Plattner Institute or haveibeenpwned.com provides information on this.
Beware of phishing emails: reputable companies, especially banks, never ask their customers to reveal personal data via a link in an email.
The mobile network operators have also taken precautions after the first SIM swapping cases in Germany. For example, Telekom has been offering voice identification (voice ID) since the summer of 2018, while Telekom, Vodafone and o2 require a special customer password on the customer hotline. Take advantage of these opportunities.
- Admin rights
No assignment of administrator rights to employees
Complete and regular documentation of the IT
- Secure passwords
IT security begins with sensitization and training of employees as well as clear communication of the internal rules of conduct for information security:
Complex passwords made up of upper and lower case letters, numbers and special characters, at least eight characters.
- Password theft
Never pass on or / and write down confidential data.
- Email security
Sign emails, encrypt sensitive data, be careful when opening email attachments and links.
- Social manipulation
Handle confidential information consciously, only pass it on to authorized persons, do not manipulate or allow yourself to be spied on.
- Be careful when surfing the internet
Not every link leads to the desired result.
- Use only the latest software
Software that is not updated leaves more security holes open.
- Use of your own software
Follow company guidelines and never install software of questionable origin.
- Company guidelines
Use only permitted data, software (apps) and applications.
Regularly save operational data on a network drive and back up data on external data carriers.
- Theft protection
Protect mobile devices and data carriers from loss.
- Device access
Do not pass devices on to third parties, do not leave mobile devices unattended and lock workstation PCs when leaving.
- Security guidelines
The organizational structures in the background form the necessary framework for IT security. Here it is important to formulate clear rules and to adhere to them:
Definition and communication of security guidelines
- Access rights
Regulation of access rights to sensitive data
- Software updates
Automatic and regular distribution of software updates
- Log files
Control of the log files
- data backup
Outsourcing of data backup
- Security analysis
Regular review of the security measures through internal and external security analyzes
- Contingency plan
Creation of a contingency plan for responding to system failures and attacks
- WLAN usage
A minimum standard must be guaranteed at the technical level. For the most part, this can be implemented without great expense:
Documentation of WLAN use, also by guests
Protection of the internet connection through firewalls
- Biometric factors
Use of access protection / passwords / biometrics
- Access control
Physical security / access control and documentation
- Protection against malware
Protection against malware both on the end device and on the Internet gateway, ideally through two different anti-virus programs
- Web access
Definition of a structured regulation of web access
Encryption to protect files and messages with sensitive content
Secure deletion of data when decommissioning
- Update of the security systems
Ensuring regular updates of the security systems
Permanent monitoring of the network traffic for abnormalities
- Why was Steve Jobs fired from Apple
- What defines a new genre of music
- Why Instagram is not good for me
- Which is the hottest place in England
- Failed Ken Wilbers Integral Institute
- Why film called Bharat
- We age faster than our parents
- Which international flight routes fly over Iran
- Are fog and mist types of clouds
- How do chatbots improve
- Who owns YOU Beat
- How can I treat green diarrhea?
- All relationships are give and take
- Which is the best Lenovo laptop around 40000
- Is there a bias on this side
- What is Dashlane used for?
- Is Sakura a bad person
- Roasted almonds are bad for cholesterol
- What are the positive effects of drought
- Forward router multicast packets
- How to send videos on Facebook
- How does PoodleCorp hack Youtube accounts
- How does the neurosis begin
- What niche business will never die out