Announcements
HBO Max - where HBO meets so much more!

Tutor

 • 

11 Messages

Mon, Jun 17, 2019 8:30 PM

Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

I have NOT yet been a victim of a SIM SWAP attack but the ramifications are HUGE.  As I understand it, my phone number can be hijacked to a device in the possession of the hijacker EVEN THOUGH I HAVE THE SIM IN MY PHONE IN MY HAND!   Any 2FA text message authentication, text msgs, phone calls, etc. would then be sent to the hijacker's phone.

 

I wouldn't be able to place phone calls.  Any interactions that I have with businesses, banks, etc. would not be able to verify my identity because I would not be able to phone in using MY phone number.  My banking, etc would not let me log in because I would not be able to receive the text messages with the login codes that are required.  etc etc. 

 

In other words, if my phone is my identity and that identity is controlled by the SIM card in my phone and someone is able to use that SIM information for their own purposes, I am toast!

 

I do NOT understand exactly how anyone could hijack my number (SIM SWAP) unless ATT permitted it.  

 

What mechanisms are in place to prevent this from happening?  Is there some option in my account that I can set which will prevent this??

 

Responses

Accepted Solution

Official Solution

sandblaster

ACE - Expert

 • 

38.1K Messages

a year ago

@GLIMMERMAN76 There are other ways to do it but that normally involves some sort of social engineering to gain account access and then tricking ATT into issuing and activating a new SIM card to an imposter.  The risk of that happening I would think is pretty small but it does happen.  @CoastRanger The way to protect yourself is to protect your account and secure your phone. Also make sure you have an account pin set. The account pin is supposed to ensure no ATT store activates a SIM card for anyone that does not provide that pin.

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
spoom2

ACE - Master

 • 

7.1K Messages

a year ago

Moving to wireless

This is a user to user help forum. It is not an AT&T support site. I am not an AT&T employee, read the ACE's disclaimer at the bottom of this post

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
GLIMMERMAN76

ACE - Expert

 • 

19.5K Messages

a year ago

I suggest your read more on it.  They need your phone to do it.  If you lost your phone and did nothing to remote wipe it then I could see this working it's now harder here in the USA.

 

https://en.m.wikipedia.org/wiki/SIM_swap_scam

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Tutor

 • 

11 Messages

a year ago

Thanks. I have had an ATT account for a lot of years (since my first mobile phone,the size of a brick).  The options on the account have changed also.  I had not realized that there was an EXTRA SECURITY pin number option.  I enabled it yesterday.  Thanks for mentioning it.

  Meanwhile I am trying to figure out how to do two factor authentication at the bank without using my  mobile phone number when an SMS text is the only option offered.  

 

Tutor

 • 

11 Messages

a year ago

Yeah... I have read up on it.  And it DOES happen.  I found the following very interesting article written this week by Matthew Miller, a long-time ZDNet tech writer.   His case demonstrates the problem with using one's phone as the KEY to your digital life.

 

SIM swap horror story: I've lost decades of data and Google won't lift a finger

GLIMMERMAN76

ACE - Expert

 • 

19.5K Messages

a year ago


@CoastRanger wrote:

Yeah... I have read up on it.  And it DOES happen.  I found the following very interesting article written this week by Matthew Miller, a long-time ZDNet tech writer.   His case demonstrates the problem with using one's phone as the KEY to your digital life.

 

SIM swap horror story: I've lost decades of data and Google won't lift a finger


@CoastRanger 

 

I agree it can happen BUT you have to be a target for it to happen.  He is a tech writer and is a target for hackers.  He also stored way to much info in the cloud which I never recommend.  I have 2FA on everything BUT I don't just use google for my backup email addy and get updates when things are changed.  But yeah I can see how people get the feeling of being secure and they really are not.

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
joeldf

ACE - Guru

 • 

474 Messages

a year ago

Agree with @GLIMMERMAN76 

 

I don't do anything on the cloud, except an outlook.com email/calendar/contacts/notes account.  Even with that, I keep a local contacts copy just in case.  I also keep an email with my ISP as my backup.  I have a Google account, but not a Gmail address (even though they make it look like you need a Gmail address to use Google, it is possible to not have one).

- Joel
Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Tutor

 • 

11 Messages

a year ago

I did not know that you could have a Google account without a Gmail
address. I do NOT like working in the cloud but I do need to do
financial online stuff (not social media)since I travel a lot .?? I use
Yubikey and throw away passwords where possible but not all banks use
them.?? (And losing a KEY would be pretty disastrous and it CAN be
appropriated when crossing borders.)?????? It seems like the more
precautions, I add, the more the vulnerability vectors increase.?? No
good ways to do things here.
lizdance40

ACE - Sage

 • 

75.5K Messages

a year ago

@CoastRanger  Yes, I had a Samsung smartphone before I had a gmail account. Opened one when my yahoo got hacked.   I still have stuff floating around attached to the old google account.

🐾 I don’t work for AT&T or any carrier. Never have, never will. My replies are based on experience and reading content available on the website. If you posted personal information, please edit and remove.

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
joeldf

ACE - Guru

 • 

474 Messages

a year ago

I had originally set up a Google account right as they went public with Gmail, but they had not yet tried to tie them together. That came later. And for a while, if you had an android phone, you were forced to have a gmail address to set up the phone with a Google account. This happened when we bought a Galaxy S2 for my son. I tried to use my account and it flat wouldn't accept it. My wife also had a Google account that wasn't a gmail address and that didn't work either. The error specifically said it had to be a gmail address. So my wife created a dummy gmail and related Google account just to get the phone to finish the initial setup.

 

Luckily, that requirement is no longer enforced. By the time I got my S8, I setup my gmail-less Google account on it and had no problems.

- Joel
Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
GLIMMERMAN76

ACE - Expert

 • 

19.5K Messages

a year ago


@joeldf wrote:

I had originally set up a Google account right as they went public with Gmail, but they had not yet tried to tie them together. That came later. And for a while, if you had an android phone, you were forced to have a gmail address to set up the phone with a Google account. This happened when we bought a Galaxy S2 for my son. I tried to use my account and it flat wouldn't accept it. My wife also had a Google account that wasn't a gmail address and that didn't work either. The error specifically said it had to be a gmail address. So my wife created a dummy gmail and related Google account just to get the phone to finish the initial setup.

 

Luckily, that requirement is no longer enforced. By the time I got my S8, I setup my gmail-less Google account on it and had no problems.


@joeldf 

 

Me personally I think google has some of the best protection right now for email accounts IF you use it right.  I have to have my device NOT sim card device to authorize a login.  I beta tested it for almost 6 months before google went public with it.  2FA is great if its device based and NOT sim based.  Using the device as a key is better as you have said key.

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.