Learn more about the SIM card swap scam which is one of the most popular attack vectors for X account hijacking.

SIM swap scam

Recently, many influential social media accounts have been taken over and used for scamming their followers.

These include:

  • Compound Finance

Compound Finance X account compromised

  • Manifold

Manifold X account compromised

  • Tellor

Tellor X account compromised

  • Code4rena

Code4rena X account compromised

Some of these projects take security very seriously, and yet they still prove vulnerable. Recently, it has become clear that even very powerful institutions can be victims of such an attack because of their glaring oversight.

SEC X account compromised

This reminds us that everyone needs to be very careful. One is only as secure as their weakest point. Learn about scammers' methods and how to defend yourself against them.

What’s a sim swap?

A SIM swap is nothing more than taking control of another SIM card by assigning its data to a new SIM card that can be used with a new mobile device. This may be a legal procedure that helps recover the phone number in the event of a damaged or lost SIM card.

However, it can also be an attack vector that criminals like to use. It allows them to come into possession of victims' phone numbers. Take control over incoming messages (including 2FA codes) and get unauthorized access to victims' account.

How does a SIM swap hack work?

To perform a sim swap and possess someone's number, the simplest and most frequently used paths are bribery and social engineering.

Criminals are bribing the employee from a mobile phone service provider to assign a selected number to a new sim card. Employees often do not have special security training and when an unethical offer is made to them that significantly exceeds their earnings, it can be tempting for them. Especially since they are often unaware of how big a mistake they are making and what its consequences may be.

The second method used is social engineering. It might be difficult to refuse a person who pretends to be the owner of the number and provides facts that seem to confirm it. They can use any emotional trick for this purpose. Claim that the card was lost along with the phone while on vacation, got stuck, and can only talk for a while because their friend's phone is about to run out of power. Such scammers can be really convincing, see for yourself.

Take a look at this short video where other security specialists during DEFCON show how effective a simple phone call can be:

One can think that it's just a video and that it doesn't work like that in real life. Or that even if it was true in this video, it was just a coincidence and anyone else would have realized that something was wrong.

However, it’s not the case.

SIM SWAP STUDY

In 2020, a group of researchers examined five U.S. carriers—AT&T, T-Mobile, Tracfone,

US Mobile, and Verizon Wireless, all five of them were vulnerable (“An Empirical Study of Wireless Carrier Authentication for SIM Swaps”, Lee et al.). Out of 50 attempts, 39 of them were successful and allowed the number to be taken over.

SIM SWAP study attempts

Mobile phone service providers were using methods that do not work well and are easy to bypass by professionals.

SIM SWAP study attempts

Fortunately, the research results made some noise and some providers started to be more aware of the problem and take the matter seriously.

It is fascinating research, and highly recommended for those who are more curious.

How do some mobile service providers mitigate sim swapping risk?

There are already security measures in place that help mitigate the risk. Unfortunately, it depends very much on the country and the specific provider. The security measures used vary and do not provide the same sense of security.

However, look at a few options of what is possible so you know what to expect:

  • More sophisticated challenges are those that are difficult to guess or find when collecting information and those that the attacker has no influence on and cannot manipulate. For example, more mobile providers started using PIN numbers and passwords to authorize assigning numbers to a new SIM card operation.
  • A mandatory cool-down period before swapping card information is sent to the owner of the phone number, an e-mail informing him that such a process has been started and, for example, in a week SIM will be changed so that he has time to react.
  • Alerts for failed attempts. The provider can notify the victim after a failed challenge and increase their distrust.
  • Identity confirmation. The requirement is to appear in person and go through all security procedures.
  • Security awareness training for employees. In the era of online courses, training has become much cheaper and awareness of the threat has increased. Mobile providers started conducting such training for their employees so it's harder to trick them and there are already special procedures in place that they must follow.
  • Minimize data available for the client support. There is no need for employees to access customer information before authentication.

How can I prevent the sim swap?

Simply obtaining the number allows the threat actor to impersonate the owner. Sim swapping poses the greatest threat when it is used as an authentication method. A threat actor who took control of the phone number might be able to authorize its owner’s operations to access the account and sometimes even completely take it over the.

The most important security measures against sim swap attacks you can take are the following:

  • Do not use a mobile number as 2FA (two factor authentication). Instead, choose a physical device (like Yubico) or a mobile app (like Authenticator).
  • Call your mobile carrier and ask what protections they put in place. Ask, if it is possible to determine your preferred method.
  • Do not expose your mobile number. If possible, do not connect it to your account in the application at all.

A detailed list of how to take care of this on X has been published by the security alliance and we strongly recommend EVERYONE go through it.

Ignoring that not only endangers the mobile phone owner but also all people around. Friends, family, and other users may be exploited by the trust built on the victim's account.

Want to increase the security of your organization?

The SIM swap fraud is not the only one to protect against. Read the next article about other methods of taking over an X account and how to prevent it.

Let's engage in a conversation about security. Share details about your current security strategies and measures. This will enable us to provide professional advice on potential enhancements and additional actions that could be beneficial for your security framework.

  • Ready to increase your security? Say HI to us!

Composable Security 🇵🇱⛓️ is a small team with a holistic approach that goes beyond the code. A combination of expertize in Solidity smart contract security and experience gained through 6+ years securing global fintechs and Polish banks help comprehensively take care of DApp security. Learn more about us.

Creators of the Smart Contract Security Verification Standard and the first Security Guide for DApps CTOs, Lead Developers, and Security Enthusiasts.

Paweł Kuryłowicz

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

About the author

Co-author of SCSVS and White Hat. Professionally dealing with security since 2017 and since 2019 contributing to the crypto space. Big DeFi fan and smart contract security researcher.

View all posts (12)