Explore & discover

Helpful Links

Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

I have NOT yet been a victim of a SIM SWAP attack but the ramifications are HUGE.  As I understand it, my phone number can be hijacked to a device in the possession of the hijacker EVEN THOUGH I HAVE THE SIM IN MY PHONE IN MY HAND!   Any 2FA text message authentication, text msgs, phone calls, etc. would then be sent to the hijacker's phone.

 

I wouldn't be able to place phone calls.  Any interactions that I have with businesses, banks, etc. would not be able to verify my identity because I would not be able to phone in using MY phone number.  My banking, etc would not let me log in because I would not be able to receive the text messages with the login codes that are required.  etc etc. 

 

In other words, if my phone is my identity and that identity is controlled by the SIM card in my phone and someone is able to use that SIM information for their own purposes, I am toast!

 

I do NOT understand exactly how anyone could hijack my number (SIM SWAP) unless ATT permitted it.  

 

What mechanisms are in place to prevent this from happening?  Is there some option in my account that I can set which will prevent this??

 

623 Views
Message 1 of 12
ACE - Master

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

Moving to wireless

Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 2 of 12
ACE - Expert

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

I suggest your read more on it.  They need your phone to do it.  If you lost your phone and did nothing to remote wipe it then I could see this working it's now harder here in the USA.

 

https://en.m.wikipedia.org/wiki/SIM_swap_scam

Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 3 of 12
Highlighted
ACE - Expert
Solution
Accepted by topic author
Accepted by CoastRanger
‎06-18-2019 10:20 AM

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

@GLIMMERMAN76 There are other ways to do it but that normally involves some sort of social engineering to gain account access and then tricking ATT into issuing and activating a new SIM card to an imposter.  The risk of that happening I would think is pretty small but it does happen.  @CoastRanger The way to protect yourself is to protect your account and secure your phone. Also make sure you have an account pin set. The account pin is supposed to ensure no ATT store activates a SIM card for anyone that does not provide that pin.

Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Tags (1)
Message 4 of 12

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

Thanks. I have had an ATT account for a lot of years (since my first mobile phone,the size of a brick).  The options on the account have changed also.  I had not realized that there was an EXTRA SECURITY pin number option.  I enabled it yesterday.  Thanks for mentioning it.

  Meanwhile I am trying to figure out how to do two factor authentication at the bank without using my  mobile phone number when an SMS text is the only option offered.  

 

Message 5 of 12

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

Yeah... I have read up on it.  And it DOES happen.  I found the following very interesting article written this week by Matthew Miller, a long-time ZDNet tech writer.   His case demonstrates the problem with using one's phone as the KEY to your digital life.

 

SIM swap horror story: I've lost decades of data and Google won't lift a finger

Message 6 of 12
ACE - Expert

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)


@CoastRanger wrote:

Yeah... I have read up on it.  And it DOES happen.  I found the following very interesting article written this week by Matthew Miller, a long-time ZDNet tech writer.   His case demonstrates the problem with using one's phone as the KEY to your digital life.

 

SIM swap horror story: I've lost decades of data and Google won't lift a finger


@CoastRanger 

 

I agree it can happen BUT you have to be a target for it to happen.  He is a tech writer and is a target for hackers.  He also stored way to much info in the cloud which I never recommend.  I have 2FA on everything BUT I don't just use google for my backup email addy and get updates when things are changed.  But yeah I can see how people get the feeling of being secure and they really are not.

Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 7 of 12
ACE - Guru

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

Agree with @GLIMMERMAN76 

 

I don't do anything on the cloud, except an outlook.com email/calendar/contacts/notes account.  Even with that, I keep a local contacts copy just in case.  I also keep an email with my ISP as my backup.  I have a Google account, but not a Gmail address (even though they make it look like you need a Gmail address to use Google, it is possible to not have one).

Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 8 of 12

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

I did not know that you could have a Google account without a Gmail
address. I do NOT like working in the cloud but I do need to do
financial online stuff (not social media)since I travel a lot .?? I use
Yubikey and throw away passwords where possible but not all banks use
them.?? (And losing a KEY would be pretty disastrous and it CAN be
appropriated when crossing borders.)?????? It seems like the more
precautions, I add, the more the vulnerability vectors increase.?? No
good ways to do things here.
Message 9 of 12
ACE - Sage

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

@CoastRanger  Yes, I had a Samsung smartphone before I had a gmail account. Opened one when my yahoo got hacked.   I still have stuff floating around attached to the old google account.

(The following is included after all posts to save typing) I don’t work for AT&T. My replies are based on experience and reading content available on the website. Our answers are honest, but not always appreciated. If you posted personal information, please edit and remove.
Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 10 of 12
ACE - Guru

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)

I had originally set up a Google account right as they went public with Gmail, but they had not yet tried to tie them together. That came later. And for a while, if you had an android phone, you were forced to have a gmail address to set up the phone with a Google account. This happened when we bought a Galaxy S2 for my son. I tried to use my account and it flat wouldn't accept it. My wife also had a Google account that wasn't a gmail address and that didn't work either. The error specifically said it had to be a gmail address. So my wife created a dummy gmail and related Google account just to get the phone to finish the initial setup.

 

Luckily, that requirement is no longer enforced. By the time I got my S8, I setup my gmail-less Google account on it and had no problems.

Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 11 of 12
ACE - Expert

Re: Protection against unauthorized SIM SWAPPING (Sim Swap Attack)


@joeldf wrote:

I had originally set up a Google account right as they went public with Gmail, but they had not yet tried to tie them together. That came later. And for a while, if you had an android phone, you were forced to have a gmail address to set up the phone with a Google account. This happened when we bought a Galaxy S2 for my son. I tried to use my account and it flat wouldn't accept it. My wife also had a Google account that wasn't a gmail address and that didn't work either. The error specifically said it had to be a gmail address. So my wife created a dummy gmail and related Google account just to get the phone to finish the initial setup.

 

Luckily, that requirement is no longer enforced. By the time I got my S8, I setup my gmail-less Google account on it and had no problems.


@joeldf 

 

Me personally I think google has some of the best protection right now for email accounts IF you use it right.  I have to have my device NOT sim card device to authorize a login.  I beta tested it for almost 6 months before google went public with it.  2FA is great if its device based and NOT sim based.  Using the device as a key is better as you have said key.

Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 12 of 12
Share this topic
Share this topic
Announcements

Do you need to fix, replace or track a device? We Can Help With That!

Additional Support