In recent years a mobile phone verification has been added as an extra measure to keep our online presence more secure. Sometimes even the strongest password isn’t quite enough, so it’s simply wiser to add that extra layer of protection to your accounts. This second factor of verification most often consists of receiving a text-message on your mobile phone. For example, when resetting a password, you receive a code on your smartphone, thus verifying your identity. However, a way has been found around this safety feature, which means someone with access to our mobile phone number and an email can gather an array of information and take control over various accounts.
This is what happened to Michael Terpin. What looked like a random loss of cell phone signal turned out to be a cyber attack which resulted in him losing crypto-currency of the estimated value of $24 million. While he was in his home in Las Vegas, a hacker in Connecticut, who had previously obtained his phone number, used the Google “forgot password” account reset feature in order to make his way into Mr Terpin’s digital wallet. The procedure the attacker employed is called SIM swapping.
This approach was first used back in 2013 by online gamers to steal prestigious Twitter and Instagram accounts. The technique developed further over the years, and today these kinds of targeted cyber-attacks are fast, efficient, and can be very damaging.
In order to obtain your phone number, the perpetrators pretend to be you. There are various ways of doing this, and they involve bribing the carrier company’s employees, or gathering enough information so that they can persuade the carrier to put your number on a new phone. After breaking into the email of their victims, the attackers go through older messages, mostly looking for evidence of cryptocurrency or bank accounts as well as social media. Sometimes, they are looking for incriminating information they can later on use for blackmail and extortion. This is why some people who have been victims of these kinds of intrusions never pursue the issue further, as they find themselves vulnerable because of the very personal information that can become public.
Another step in the SIM swapping process is locking you out of your Google account. A carrier can restore your service in about an hour. However, by that time, the hackers would have changed your security settings so that the account cannot be reset via text message. To achieve this they use Authenticator - an app built by Google, which can leave you out of Gmail even if you reclaim your phone number. The process is actually very simple, but, as we have seen, potentially extremely harmful. The Regional Enforcement Allied Computer Team members state that they are aware of at least 3000 victims, accounting for $70 million in losses.
Security researchers believe that for most users the second factor of verification can prove to be an efficient defense, however, Google suggests that a third of targeted attacks maintain their efficiency on their users.
On the other end, phone carriers are working on flagging possible warning signs and are getting better. Still, there are other ways you can make your accounts more secure from these kinds of attacks.
Ways to protect yourself
It is important to be familiar with different ways you can recover your password in order to make your information more safe. Here are some steps you can take:
- Add a passcode to your mobile-phone account by calling your carrier, and keep it somewhere safe.
- Make sure you are using different passwords for different accounts
- Explore how the “Forgot my password” option works on different accounts that you use. Be sure to lock down the most important ones first, such as bank accounts.
- Add a 2 Factor code from Cycrest 2 factor system