The recent news that political commentator and author Matt Walsh was the victim of a successful SIM Swap attack got me thinking that it's probably a good idea to post here for those who may not know or understand how these attacks work and what information could be exposed from such an attack.
First, for some background on the story. Matt Wash is a regular content creator and I believe partner in the "Daily Wire". He has been in the news lately and created a lot of buzz from his documentary film "What is a Woman". Last week he was the victim of a SIM Swap attack where the hacker successfully convinced Matt's Cell Phone Carrier to deactivate the SIM card within his phone and transfer it to a new SIM card help by the hacker. This allowed the hacker to gain access to many of Matt's social media accounts and create fake Twitter posts under his account. The hacker also gained access to 20 years worth of Matt's personal and business email! For more detail, you can check out the story here https://www.wired.com/story/matt-walsh-twitter-hack-doomed/
Considering that Matt has become the target of multiple high profile left wing and trans advocates, it's actually stunning how careless he was in not protecting his privacy and accounts. The ramifications for Matt are actually pretty financially serious. From a social media and political commentator standpoint, his political and media opponents, get to celebrate his plight, which does earn them followers, and money indirectly on social and main stream media. From a business standpoint, while he was the victim of the attack, it does hurt his marketability to potential advisers, who view the successful attack as a potential risk. Additionally, with the compromise of 20 years worth of emails, they may perceive that there could be very disparaging emails released in the future, which could harm his brand, and any advertisers associated with his brand. It's no different in my opinion than how people react when their bank or credit card company is successfully attacked, and their personal information is exposed. The business is the victim, but also blamed for their inability to protect private information. Bottom, line in Matt's case, this is bad business.
Matt Walsh may be the most recent prominent victim, but he is just one of many high profile victims. In 2019 Twitter's then CEO was also the victim (Source Link). OK, most of us do not have the notoriety of Matt Walsh or Jack Dorsey, and are probably much less likely to be the target of a SIM Swap attack, but the risk is still real for everyone. The FBI reported that U.S. Consumers had losses over $68 Million in 2021 alone. (Source Link) That 2021 number, was 5x greater than the total for the previous 3 years.
So, What exactly is a SIM Swap Attack? Basically, the hacker contacts the potential victim's cellular carrier and claims to have damaged or lost his phone/SIM card and requests to activate a new phone/SIM card. Carriers, have procedures in place to verify that the caller is indeed the legitimate account holder. These methods of verification often require the person requesting the change, to verify additional personal information about the account, such as their full name, address, Mother's maiden name, recent transactions or the amount of recent service bills. The hackers, often try to find this less common personal information through online sources, but in many cases, they will claim to have not recalled or remembered, their account pin or what they listed as their mother's maiden name. Questions about previous billing statements, can often be difficult to answer, if the person on the line, does not have access to a mobile device to access the internet. So, the customer service techs answering these calls, are simply usually tricked into NOT following the established security protocols, and then allow the SIM swap to go through.
You would think that this method of breaching a user's security wouldn't be that likely to succeed. After all, the trained customer service professionals probably screen out a lot of attempts, and only a small percentage get through. However, the surprising part is that these types of attacks do seem to be very effective. In August 2020 Princeton University researchers released the results of a study where they created simulated attacks by contacting cell phone carriers and trying to obtain access to accounts using the techniques that thieves use. The sample size was 10 separate attempts across 5 different carriers: AT&T, T-Mobile, Tracfhone, US Mobile and Verizon. (Summary Article) and (Source Link) They found that 39 out of the 50 attempts were successful! Yea, like holy fvck that's 78%. For those more interested, you can download and read the actual published paper (HERE), or an easier to read and more to the point 10-page PowerPoint presentation (HERE).
What do attackers want to gain by using a SIM Swap Attack? In Matt's case, the hacker admitted he was board, and he personally didn't like Matt Walsh. However, most attackers are trying to steal money. If you are a reasonably aware internet user, you probably already use Two-Factor Authentication (Also Known as 2FA) to further protect your sensitive accounts. My bank has 2FA account access enhanced security, where whenever I attempt to log into my account via the internet, I receive a text message code to my phone, which then must be entered online to access my account. It works and for the most part 2FA has been pretty effective and stopping online thieves from accessing password compromised accounts. The recent adoption of 2FA security has forced enterprising thieves to find ways to circumvent the protection. The most effective way to obtain the 2FA text message code is to have the victim's phone in their possession. However, the next best method, is to simply have your mobile phone number under their control. So when an attacker, steels your mobile number, they can then receive the 2FA code sent by your bank (or other institution) to be used to potentially reset account passwords and unlock accounts. Think about how many accounts may be tied to your mobile number. In Matt's case, they were able to take over his Twitter and email accounts. Once a thief has full access to your email account and changes the passwords and backup email account information, they can potentially access, other bank and financial accounts, medical records, business accounts, etc. Once, the thief changes important account information, so that you can no longer access those accounts, you cannot easily change them back. The very measures that banks and other companies used to protect your account could be the very methods blocking you from taking back your accounts. So if your mobile phone number is stolen, the average person stands to lose tens of thousands of dollars.
What should you do to protect yourself?
Mainly the basics that everyone should already be doing. This list is posted on the FTC's Website (Source Link) with my personal observations and comments.
Well good luck keeping your Shit private and protercted. If someone steels your MDS account, GOD HELP THEM!
For more info about SIM Swaps, here is a short video that explains it pretty well.
If you are interested in a real life story about a guy who was the victim of a SIM Swap attack where the user wanted to steel his Instagram Screen Name (potentially worth tens of thousands of dollars) and sell it on the dark web, this is interesting pod cast, but you can also read the transcript too. https://darknetdiaries.com/transcript/97/
There was a good story where an attacker used a SIM swap to steel
First, for some background on the story. Matt Wash is a regular content creator and I believe partner in the "Daily Wire". He has been in the news lately and created a lot of buzz from his documentary film "What is a Woman". Last week he was the victim of a SIM Swap attack where the hacker successfully convinced Matt's Cell Phone Carrier to deactivate the SIM card within his phone and transfer it to a new SIM card help by the hacker. This allowed the hacker to gain access to many of Matt's social media accounts and create fake Twitter posts under his account. The hacker also gained access to 20 years worth of Matt's personal and business email! For more detail, you can check out the story here https://www.wired.com/story/matt-walsh-twitter-hack-doomed/
Considering that Matt has become the target of multiple high profile left wing and trans advocates, it's actually stunning how careless he was in not protecting his privacy and accounts. The ramifications for Matt are actually pretty financially serious. From a social media and political commentator standpoint, his political and media opponents, get to celebrate his plight, which does earn them followers, and money indirectly on social and main stream media. From a business standpoint, while he was the victim of the attack, it does hurt his marketability to potential advisers, who view the successful attack as a potential risk. Additionally, with the compromise of 20 years worth of emails, they may perceive that there could be very disparaging emails released in the future, which could harm his brand, and any advertisers associated with his brand. It's no different in my opinion than how people react when their bank or credit card company is successfully attacked, and their personal information is exposed. The business is the victim, but also blamed for their inability to protect private information. Bottom, line in Matt's case, this is bad business.
Matt Walsh may be the most recent prominent victim, but he is just one of many high profile victims. In 2019 Twitter's then CEO was also the victim (Source Link). OK, most of us do not have the notoriety of Matt Walsh or Jack Dorsey, and are probably much less likely to be the target of a SIM Swap attack, but the risk is still real for everyone. The FBI reported that U.S. Consumers had losses over $68 Million in 2021 alone. (Source Link) That 2021 number, was 5x greater than the total for the previous 3 years.
So, What exactly is a SIM Swap Attack? Basically, the hacker contacts the potential victim's cellular carrier and claims to have damaged or lost his phone/SIM card and requests to activate a new phone/SIM card. Carriers, have procedures in place to verify that the caller is indeed the legitimate account holder. These methods of verification often require the person requesting the change, to verify additional personal information about the account, such as their full name, address, Mother's maiden name, recent transactions or the amount of recent service bills. The hackers, often try to find this less common personal information through online sources, but in many cases, they will claim to have not recalled or remembered, their account pin or what they listed as their mother's maiden name. Questions about previous billing statements, can often be difficult to answer, if the person on the line, does not have access to a mobile device to access the internet. So, the customer service techs answering these calls, are simply usually tricked into NOT following the established security protocols, and then allow the SIM swap to go through.
You would think that this method of breaching a user's security wouldn't be that likely to succeed. After all, the trained customer service professionals probably screen out a lot of attempts, and only a small percentage get through. However, the surprising part is that these types of attacks do seem to be very effective. In August 2020 Princeton University researchers released the results of a study where they created simulated attacks by contacting cell phone carriers and trying to obtain access to accounts using the techniques that thieves use. The sample size was 10 separate attempts across 5 different carriers: AT&T, T-Mobile, Tracfhone, US Mobile and Verizon. (Summary Article) and (Source Link) They found that 39 out of the 50 attempts were successful! Yea, like holy fvck that's 78%. For those more interested, you can download and read the actual published paper (HERE), or an easier to read and more to the point 10-page PowerPoint presentation (HERE).
What do attackers want to gain by using a SIM Swap Attack? In Matt's case, the hacker admitted he was board, and he personally didn't like Matt Walsh. However, most attackers are trying to steal money. If you are a reasonably aware internet user, you probably already use Two-Factor Authentication (Also Known as 2FA) to further protect your sensitive accounts. My bank has 2FA account access enhanced security, where whenever I attempt to log into my account via the internet, I receive a text message code to my phone, which then must be entered online to access my account. It works and for the most part 2FA has been pretty effective and stopping online thieves from accessing password compromised accounts. The recent adoption of 2FA security has forced enterprising thieves to find ways to circumvent the protection. The most effective way to obtain the 2FA text message code is to have the victim's phone in their possession. However, the next best method, is to simply have your mobile phone number under their control. So when an attacker, steels your mobile number, they can then receive the 2FA code sent by your bank (or other institution) to be used to potentially reset account passwords and unlock accounts. Think about how many accounts may be tied to your mobile number. In Matt's case, they were able to take over his Twitter and email accounts. Once a thief has full access to your email account and changes the passwords and backup email account information, they can potentially access, other bank and financial accounts, medical records, business accounts, etc. Once, the thief changes important account information, so that you can no longer access those accounts, you cannot easily change them back. The very measures that banks and other companies used to protect your account could be the very methods blocking you from taking back your accounts. So if your mobile phone number is stolen, the average person stands to lose tens of thousands of dollars.
What should you do to protect yourself?
Mainly the basics that everyone should already be doing. This list is posted on the FTC's Website (Source Link) with my personal observations and comments.
- Don’t reply to calls, emails, or text messages that request personal information. - Pretty obvious, but still sometimes the phishing attack could seem really legit, especially when you are distracted. Even verifying a text message with a reply, let's the attacker know your number is a valid number.
- Limit the personal information you share online. - I've posted this several times and in several different threads. You should already be using fake names, fake mailing addresses, throw away email address and even virtual or disposable real mobile numbers, whenever possible to any requestor that doesn't actually NEED the real information to conduct legal business. I do not even use my real name anymore when booking restaurant reservations online. For more than a decade, I have given a fictitious "Mother's Maiden Name". When websites ask for secret questions, I never use obvious answers like "Your best Friend's name" or "Where did you graduate H.S." If those are the only choices, I have a set of fictitious answers already ready to go. Once you get used to it, it becomes second nature.
- Set up a PIN or password on your cellular account. - Some folks do not know about this option, but many carriers have systems in place where SIM cards cannot be swapped while the user has a SIM CARD LOCK or in place. These systems are not foolproof. For example, if an attacker is able to access your mobile phone account online, for example, if your account password is compromised, and you do not have extra security measures like 2FA turned on, they may be able to turn off these protection features. Verizon specifically requires users to enable what they call Number Lock through their online customer account website or their mobile app. They also require users to create a temporary pin that is only valid for 7 days, and this pin is used to allow the current number to be transferred to another account or carrier. Again, if someone can access your Verizon account online, they can generate this PIN and transfer your phone number to another SIM. I assume most other carriers have similar protection features. More info about setting up this feature on Verizon can be found (HERE).
- Consider using stronger authentication on accounts with sensitive personal or financial information. - In light of the growing prevalence of SIM Swap attacks, security professionals are now recommending that users steer away from Text Based 2FA security to authenticator based 2FA. (Source Link). If you do not have an authenticator app like DUO, Bitwarden, Google Authenticator, Authy you should look into setting one up. For Apple users Time Based 2FA is is now built into IOS 15. (Source Link) For the highest level of account security there are physical keys that plug into the computer's USB port to unlock some accounts. However, for most two of my three bank accounts authenticator based 2FA is not an option, and I'm forced to use Text Based 2FA for the time being. Hopefully, thuis will change as more institutions begin to recognize the vurnerablities of Text Based 2FA.
Well good luck keeping your Shit private and protercted. If someone steels your MDS account, GOD HELP THEM!
For more info about SIM Swaps, here is a short video that explains it pretty well.
If you are interested in a real life story about a guy who was the victim of a SIM Swap attack where the user wanted to steel his Instagram Screen Name (potentially worth tens of thousands of dollars) and sell it on the dark web, this is interesting pod cast, but you can also read the transcript too. https://darknetdiaries.com/transcript/97/
There was a good story where an attacker used a SIM swap to steel