A spate of hacked[1] Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring[2]. They all have roots in an old problem that has lately found new urgency: SIM card swaps[3], a scam in which hackers steal your mobile identity—and use it to upend your life[4].
At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They’re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication[5] checks that protect your most sensitive accounts. Or, if you don’t have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.
'In most of the cases that we’ve seen, a sufficiently determined attacker can just take over someone’s online footprint.'
Allison Nixon, Flashpoint
SIM attacks appear to be behind a recent string of Instagram takeovers, as well as the very unfortunate, not great time a hacker posted[6] Justin Bieber nudes from Selena Gomez’s account last year. But they can impact other corners of your life as well. A cryptocurrency investor this week claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens; he’s suing[7] his carrier, AT&T, for 10 times that amount. And Motherboard recently documented a number of incidents[8] in which SIM hijackers drained thousands of dollars out of people’s checking accounts.
A sobering caveat: If a skilled SIM hijacker targets you, there’s realistically not much you can do to stop them, says Allison Nixon,