Why 'SIM swapping' is a growing security nightmare

San Francisco: When hackers took over the Twitter account of Twitter's chief executive, Jack Dorsey, last week, they used an increasingly common and hard-to-stop technique that could have given them complete access to his digital activities, including social media, email and financial accounts.

Called SIM swapping, it allows hackers to take control of a victim's phone number. In recent months, SIM swapping has been used to hijack the online personas of politicians, celebrities and notables like Dorsey, to steal money all over the world and to simply harass regular people.

Victims, no matter how prominent or technically sophisticated, have been unable to protect themselves, even after they have been hit again and again.

"I've been looking at the criminal underground for a long time, and SIM swapping bothers me more than anything I've seen," said Allison Nixon, director of research at security firm Flashpoint. "It requires no skill, and there is literally nothing the average person can do to stop it."

Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control.

The number is switched from a tiny plastic SIM card, or subscriber identity module, in the target's phone to a SIM card in another device.

Sometimes hackers get phone numbers by calling a customer help line for a phone carrier and pretending to be the intended victim. In other recent incidents, hacking crews have paid off phone company employees to do the switches for them, often for as little as $100 for each phone number.

Once the hackers have control of the phone number, they ask companies like Twitter and Google to send a temporary login code, via text message, to the victim's phone. Most major online services are willing to send those messages to help users who have lost their passwords.

But the temporary code is sent to the hackers.

Phone companies have been aware of the problem for years, but the only routine solution they have come up with is offering pin codes that a phone owner must provide in order to switch devices. Even this measure has proved ineffective. Hackers can get the pin codes by bribing phone company employees.

"It just doesn't seem like the AT&Ts of the world are really doing anything to make it more difficult," said Erin West, a deputy district attorney in California's Santa Clara County who is a member of a law enforcement task force focusing on the problem. "I live in fear that I will get SIM-swapped because it's not that difficult."

No American authorities are keeping statistics on the frequency of the attacks. But West and others who are tracking cases said they have become more frequent over the last year.

"Account takeover fraud is an industrywide problem," said Paula Jacinto, a spokeswoman for T-Mobile. "We use a number of safeguards to help protect against this crime and offer customers a variety of options to help them protect their own information."

It is difficult to ascertain how many mobile phone users have been hit by a SIM swap. But people around the world, from Kenya to Hollywood, have complained about it.

In recent weeks, the most prominent targets have been celebrities like Dorsey, actress Jessica Alba and online personalities like Shane Dawson and Amanda Cerny (her second time). The hackers used the accounts to post offensive messages to millions of followers. They also gained access to private communications.

Matthew Smith, who owns an internet-focused design studio in South Carolina, has been hit by SIM swappers four times - three times this year alone. Hackers had long wanted his Instagram handle, @whale. That made him a target.

Every time the attackers have gained access to his social media and email accounts, Smith's phone provider, T-Mobile, has assured him that it has put additional measures in place to protect his account. While he has managed to get back his social media accounts, he has not regained access to two Google email accounts that held years of communications.

In the most recent incidents this summer, after the attackers got into a new email address, they contacted Smith, his family and his friends to threaten him and his children with information from his accounts.

"It feels sickening," Smith said. "It feels like everything you own, and you thought was safe and yours - that someone is playing with that like it is a toy."

SIM swapping became popular in the hacking community years ago. Attackers were mostly interested in taking control of rare or iconic social media account names, like a Twitter or Instagram account with just one name.

But hackers soon realized they could gain access to more than social media accounts.

In 2016, SIM-swapping gangs started targeting cryptocurrency holders. Unlike traditional bank transactions, once virtual currency is moved to a new address, the transaction cannot be reversed. U.S. bank accounts have been less vulnerable to SIM swapping because banks will generally reverse any criminal transactions.

Security experts are worried that hackers could step up their attacks and use the method to go after even higher value targets. Several Brazilian politicians have recently had their phones and social media applications compromised.

"SIM swapping is proliferating, and it is going to keep proliferating until companies deal with this," Nixon said. "This is a known issue at this point. There is not really any excuse."