Most people’s social media accounts are hacked because they forget to set up dual-factor authentication or update their passwords every now and then.
But, in the case of Twitter CEO Jack Dorsey, his password and login procedure were up to date. So how did it end up that over Labor Day Weekend, his account was taken over and a string of racist tweets were sent out?
Because Dorsey was the victim of a SIM Swapping scam.
This is not the first time Better Business Bureau Northwest + Pacific has heard about SIM Swapping. In fact, during fall of 2018 I was getting a lot of questions about this rather new twist on account hacking. Fast-forward to now, I felt it was important to underline that if it can happen to the CEO of Twitter, it can certainly happen to the average consumer.
SIM swapping is when a hacker transfers your personal cellphone number onto his/her own device through a process called “porting.”
The scenario often looks like this: Your cellphone carrier gets a call from a hacker pretending to be you. The hacker more than likely already has information on you such as your birthday and mother’s maiden name from a quick search on Facebook, so he’s easily able to decipher and bypass the passwords or security questions asked by your cellphone provider. From there, the hacker tells the carrier he’s lost the phone’s SIM card but has a new one, then asking the carrier to transfer (or port) “his” cellphone number onto a new SIM card.
The issue: it’s your cellphone number he’s porting onto his SIM card.
Once a hacker seizes this, he can use your cellphone number as a master key to all related accounts such as Netflix, Amazon, Instagram and, of course, mobile banking, since our cellphone numbers are associated with almost every facet of our online identity. In the case of Dorsey, hackers got access to his phone number so that all incoming calls, texts or verification codes would be sent to the scammer, not Dorsey. Using Twitter’s “Text to Tweet” feature, they were then able to send out Tweets without actually needing to login to the Twitter app itself.
But consumer, beware. This scam can go much deeper than distasteful Tweets.
Because our phone numbers are associated with many of our online accounts, a successful SIM swapping can wreak havoc on the average consumer or small business owner.
For instance, a hacker with your phone number can then attempt to login to your social media accounts and change everything. Typically, hackers target Instagram users with short, unique usernames. Why? Because if they can take over that account, they can sell your username for bitcoin on the dark web. Short usernames go for $500 to $5,000.
Or, perhaps, the scam artist goes for your banking information. He can login to your mobile banking app and when your bank verifies that it does not recognize this new device, the bank is going to send a one-time verification code to your phone number. But now, your phone number is associated with the hacker’s device, so they get the security code instead. All of a sudden, they have access to all of your accounts. In this example, we can see that hackers are actually able to bypass the two-factor authentication process that banks have set up, making this scam even thornier.
While scammers can target specific people for this scam, it can also be done at random simply based on your number being selected and the hacker’s ability to bypass your carrier’s security features. What’s particularly scary about this scam is that consumers and business owners may not know right away their phone number has been compromised — if you’re waiting on verification codes and they’re not coming through, call your cellphone provider.
The good news is, cellphone carriers are aware of this growing issue and are setting up protocols to better protect consumers.
BBB NW+P recommends these tips:
• Ask your cellphone carrier if they offer a “port validation feature.” T-Mobile, for instance, offers this PIN or code to protect against hackers trying to steal someone’s SIM card on top of the security layers already in place.
• Make sure you already have passwords or security codes set up with your cellphone carrier that are required to access ANY information about your account.
• Don’t use password saving functions or keychains, especially for important accounts (banking).
• Wherever you can, remove your phone number from your online account. If a phone number is required, consider setting up and using a Google Voice number. Google Voice is an internet-based service that allows you to forward your calls to a unique Google number. You can also use this number for all online accounts. Google Voice numbers are not easily hacked.
• If your phone is stolen or lost, call your cellphone carrier immediately to deactivate your SIM card. Have Find My iPhone/Device turned on so that you are able to remotely erase all data.
— Danielle Kane is the Better Business Bureau marketplace manager for Portland. She can be reached at firstname.lastname@example.org.