Latest news with #SIMswapping
Yahoo
09-07-2025
- Yahoo
How to protect your cell phone number from SIM swap attacks
It's 2025, and cell phone numbers are ubiquitous. We use our phone numbers to sign up for websites and online services, from retail and banking to social media and health providers. You can use your phone number to reset a forgotten password, and even for receiving two-factor authentication codes for securely logging in to your accounts. But if someone can steal your phone number, they can effectively become you. With your phone number, a hacker can start gaining access to your online accounts, and even trick automated systems into thinking they are you when calling customer service. A hijacked phone number can sometimes be used to access a company's network as if they were that employee, allowing access to sensitive files and data. This is all the more reason to proactively protect your phone number from SIM swapping, a type of cyberattack that involves a hacker hijacking a victim's phone number. The good news is that it's easier than it's ever been to lock down your number. SIM swapping attacks usually happen when a malicious hacker calls up a cell carrier impersonating a specific customer. This hacker would use information they found online, such as a customer's name and date of birth, and then ask a customer support representative to transfer or 'port out' that number to a different SIM card or carrier. As soon as that process completes, the person's phone number will activate on a SIM card or phone controlled by the hacker, allowing them to make calls and send and receive text messages as if they were the person they just hacked. Oftentimes, the only sign that this has happened is if the victim suddenly loses cell service for seemingly no reason. SIM swap attacks exploit a weakness in the security controls within a cell providers' internal systems that let support representatives make changes to customer accounts without necessarily getting the customer's express permission. To combat these kinds of impersonation and deception tactics, known as social engineering attacks, three major phone carriers in the United States — AT&T, T-Mobile and Verizon — have introduced security features that make it more difficult for malicious hackers to deceptively get a customer's account changed, such as porting out their phone number. Take a minute or two to check your phone carrier's account; these features are often not publicized very well and may not be enabled by default. In July, AT&T introduced its free Wireless Account Lock security feature to help prevent SIM swaps. The feature allows AT&T customers to add extra account protection by toggling on a setting that prevents anyone from moving a SIM card or phone number to another device or account. The feature can be switched on via AT&T's app or through its online account portal by anyone who manages the account, so make sure that account is protected with a unique password and multi-factor authentication. T-Mobile allows customers to prevent SIM swaps and block unauthorized number port outs for free through their T-Mobile online account. The primary account holder will have to log in to change to the setting, such as switching it on or off. Verizon has two security features called SIM Protection and Number Lock, which respectively prevent SIM swaps and phone number transfers. Both of these features can be turned on via the Verizon app and through the online account portal by an account's owner or manager. Verizon says that switching off the feature may result in a 15-minute delay before any transactions can be performed — another safeguard to allow the legitimate account holder to reverse any account changes.
TechCrunch
09-07-2025
- TechCrunch
How to protect your cell phone number from SIM swap attacks
It's 2025, and cell phone numbers are ubiquitous. We use our phone numbers to sign up for websites and online services, from retail and banking to social media and health providers. You can use your phone number to reset a forgotten password, and even for receiving two-factor authentication codes for securely logging in to your accounts. But if someone can steal your phone number, they can effectively become you. With your phone number, a hacker can start gaining access to your online accounts, and even trick automated systems into thinking they are you when calling customer service. A hijacked phone number can sometimes be used to access a company's network as if they were that employee, allowing access to sensitive files and data. This is all the more reason to proactively protect your phone number from SIM swapping, a type of cyberattack that involves a hacker hijacking a victim's phone number. The good news is that it's easier than it's ever been to lock down your number. SIM swapping attacks usually happen when a malicious hacker calls up a cell carrier impersonating a specific customer. This hacker would use information they found online, such as a customer's name and date of birth, and then ask a customer support representative to transfer or 'port out' that number to a different SIM card or carrier. As soon as that process completes, the person's phone number will activate on a SIM card or phone controlled by the hacker, allowing them to make calls and send and receive text messages as if they were the person they just hacked. Oftentimes, the only sign that this has happened is if the victim suddenly loses cell service for seemingly no reason. SIM swap attacks exploit a weakness in the security controls within a cell providers' internal systems that let support representatives make changes to customer accounts without necessarily getting the customer's express permission. To combat these kinds of impersonation and deception tactics, known as social engineering attacks, three major phone carriers in the United States — AT&T, T-Mobile and Verizon — have introduced security features that make it more difficult for malicious hackers to deceptively get a customer's account changed, such as porting out their phone number. Take a minute or two to check your phone carrier's account; these features are often not publicized very well and may not be enabled by default. AT&T In July, AT&T introduced its free Wireless Account Lock security feature to help prevent SIM swaps. The feature allows AT&T customers to add extra account protection by toggling on a setting that prevents anyone from moving a SIM card or phone number to another device or account. The feature can be switched on via AT&T's app or through its online account portal by anyone who manages the account, so make sure that account is protected with a unique password and multi-factor authentication. T-Mobile T-Mobile allows customers to prevent SIM swaps and block unauthorized number port outs for free through their T-Mobile online account. The primary account holder will have to log in to change to the setting, such as switching it on or off. Verizon Verizon has two security features called SIM Protection and Number Lock, which respectively prevent SIM swaps and phone number transfers. Both of these features can be turned on via the Verizon app and through the online account portal by an account's owner or manager. Verizon says that switching off the feature may result in a 15-minute delay before any transactions can be performed — another safeguard to allow the legitimate account holder to reverse any account changes.
The Verge
01-07-2025
- The Verge
AT&T now lets you lock down your account to prevent SIM swapping attacks
AT&T is launching a new Account Lock feature that's designed to protect wireless users against SIM swapping attacks. The feature, which you can enable from the myAT&T app, prevents unauthorized changes to your account, like phone number transfers, SIM card changes, and updates to billing information. SIM swapping attacks have become increasingly common in recent years. They occur when a bad actor gets ahold of a victim's phone number, sometimes with social engineering techniques such as impersonating a victim and asking their carrier for a SIM change, and then intercepting messages and phone calls meant for the victim. This can let an attacker receive two-factor authentication codes that they can use to break into sensitive accounts. Other carriers, including T-Mobile, Verizon, and Google Fi, already have similar features to prevent against this type of fraud. AT&T began gradually rolling out Account Lock earlier this year. As noted by AT&T, its new Account Lock feature also blocks device upgrades, along with changes to authorized users and phone numbers. You can turn Account Lock on or off at any time by opening the myAT&T app, selecting Services > Mobile Security > Wireless Account Lock, and selecting which accounts you want to lock or unlock. AT&T will then send the primary account holder an email notifying them of the change, while every active number on the account will receive a text. Only users with primary and secondary access to an AT&T account can use Account Lock.
The Sun
28-06-2025
- The Sun
Words you must never type on social media over devastating ‘sim swap' phone attack that can breach ALL accounts
THERE are some details you just cannot share on social media - or you could be putting yourself at risk of a devastating "SIM swap" attack, experts have warned. In the wake of the M&S cyberattack in April, where SIM swapping is believed to have played a role, consumers have been warned that the breed of attack could also wreak havoc on their own personal lives. 5 5 SIM swapping is a form of fraud that is swiftly on the rise, according to a report published in The Conversation last month, co-authored by computer science professor Alan Woodward and secure systems lecturer Daniel Gardham, both of the University of Surrey. Attacks rose by a whopping 1,055 per cent in 2024, according to the National Fraud Database. It has also allegedly been used in the hacking of former Twitter CEO Jack Dorsey in 2019. "Our mobile phone numbers have become a de facto form of identification, but they can be hijacked for nefarious purposes," the pair wrote. People typically have the same phone number for years - even after changing phones, losing their device, or having it stolen. "When a user buys a new phone, or just a new sim card for a spare device they might have, they might call their service provider to transfer their longstanding mobile number to the new sim card," experts explained. "The problem is that the service provider doesn't know if it is really them calling to transfer the number. "Hence, they launch into a series of questions to make sure they are who they say they are." These security questions are used for all kinds of accounts, and often ask for the same information. For example, "what is your mother's maiden name?", or "...the name of your first pet?" Huge Global Data Breach: 16 Billion Accounts at Risk But if someone else can know the answers to those questions after stalking your social media, it leaves you at risk of not only SIM swap fraud but other forms of hacking. "The rise of social media has made it easier than ever for scammers to piece together what was once considered private information," experts wrote. "Suddenly, someone else can make and receive calls and SMS messages using your number." That means hackers can make calls at your expense. But it's not just your phone number that can be stolen. SIM swapping can be used to breach all your other accounts through the theft of two-factor authentication (2FA) codes. Security experts recommend all consumers have the 2FA tool switched on with all their accounts. 5 Instead of just relying on a password, 2FA adds a second factor - like a code from your phone or biometric data like your fingerprint or face ID. Woodward and Gardham added: "Remember when you created your email, bank account or even online grocery shopping account and you were encouraged to set up two-factor authentication (2FA)? "You listened, but the system set your 'second factor' as your mobile phone number. "You input your username and password, and it asks for a time-limited code that it sends to you as an SMS message." Now, if you have been a victim of SIM swapping - the hackers will receive your security codes instead of you. This could potentially grant them access to all sorts of accounts, from your social media to your banking app. Efforts to improve login security have led to the rise of what are known as passkeys... Which are long sequence of random digits called cryptographic keys that are stored on your device, such as a smartphone or computer. Prof Alan Woodward and lecturer Daniel Gardham, of the University of Surrey It's important to note that even with the risks of SIM swapping, 2FA should still be enabled on all your accounts. In addition to it, however, experts are encouraging the use of passkeys - a passwordless login method that is supposed to be more secure. "Efforts to improve login security have led to the rise of what are known as passkeys," Woodward and Gardham explained. "Which are long sequence of random digits called cryptographic keys that are stored on your device, such as a smartphone or computer." Passkeys are used to log into your online account only when you unlock your phone through your PIN code, fingerprint or face ID. WHAT ARE PASSKEYS? Passkeys are the newer, safer passwords, according to tech companies and security experts. They allow you to log into your accounts using biometrics like your fingerprint or face scan. You can even use your phone's passcode. To sign into a website or app on your phone, all you need to do is unlock your phone. This also works for websites on PCs and laptops. If you're trying to sign into a website on your computer, you just need your phone nearby. You will be prompted to unlock your phone when trying to log into an account on your computer, which will then grant you access on the PC. By using unique credentials tied to your phone or other devices, you make your accounts more resistant to phishing and other password-based attacks. 5 5
WIRED
09-06-2025
- WIRED
A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account
Jun 9, 2025 10:00 AM Phone numbers are a goldmine for SIM swappers. A researcher found how to get this precious piece of information through a clever brute-force attack. ILLUSTRATION: WIRED STAFF A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media's own tests. The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples' personal information. This article was created in partnership with 404 Media, a journalist-owned publication covering how technology impacts humans. For more stories like this, sign up here. 'I think this exploit is pretty bad since it's basically a gold mine for SIM swappers,' the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email. SIM swappers are hackers who take over a target's phone number in order to receive their calls and texts, which in turn can let them break into all manner of accounts. In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account. 'Essentially, it's bruting the number,' brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they're after. Typically that's in the context of finding someone's password, but here brutecat is doing something similar to determine a Google user's phone number. Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said. In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target's Google display name. They find this by first transferring ownership of a document from Google's Looker Studio product to the target, the video says. They say they modified the document's name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit. 'The victim isn't notified at all :)' a caption in the video reads. A Google spokesperson told 404 Media in a statement 'This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users.' Phone numbers are a key piece of information for SIM swappers. These sorts of hackers have been linked to countless hacks of individual people in order to steal online usernames or cryptocurrency. But sophisticated SIM swappers have also escalated to targeting massive companies. Some have worked directly with ransomware gangs from Eastern Europe. Armed with the phone number, a SIM swapper may then impersonate the victim and convince their telecom to reroute text messages to a SIM card the hacker controls. From there, the hacker can request password reset text messages, or multi-factor authentication codes, and log into the victim's valuable accounts. This could include accounts that store cryptocurrency, or even more damaging, their email, which in turn could grant access to many other accounts. On its website, the FBI recommends people do not publicly advertise their phone number for this reason. 'Protect your personal and financial information. Don't advertise your phone number, address, or financial assets, including ownership or investment of cryptocurrency, on social media sites,' the site reads. In their write-up, brutecat said Google awarded them $5,000 and some swag for their findings. Initially, Google marked the vulnerability as having a low chance of exploitation. The company later upgraded that likelihood to medium, according to brutecat's write-up.
