“SIM swapping is a big deal, especially if you’re also actively involved in the cryptocurrency community—a great way for an attacker to make a little cash and mess up your life.” Lifehacker
SIM swapping involves a hacker duping your cell provider (e.g., AT&T, Verizon, T-Mobile. etc. )into believing that you’re activating your SIM card on another device. In other words, they’re stealing your phone number and associating it with their SIM card.
If your SIM card has been activated on a new device, this could be signs that a scammer has pulled a SIM card swap to hijack your cell phone number.
How do scammers pull off a SIM card swap like this?
They may call your cell phone service provider and say your phone was lost or damaged, according to the Federal Trade Commission. Then they ask the provider to activate a new SIM card connected to your phone number on a new phone — a phone they own. If your provider believes the bogus story and activates the new SIM card, the scammer — not you — will get all your text messages, calls, and data on the new phone.
The scammer — who now has control of your number — could open new cellular accounts in your name or buy new phones using your information.
How to prevent a SIM swap scam—and what to do if you get duped https://t.co/vpVfQARo3M pic.twitter.com/DVhttXlFCh
— Lifehacker (@lifehacker) June 19, 2019
It’s a lot easier to set up defenses against a SIM swap attack right now than it is to deal with the fallout from one—one is a minor annoyance, the other will consume your week (or more).
Protect your accounts
Many digital accounts have settings that can help you take back your accounts if they’re ever stolen—but they need to be properly set up before the account is stolen in order to be of any help, acknowledges Lifehacker. These can include:
- Creating a PIN number that is required for logins and password changes. This is especially important to set up with your cellular carrier, as it’s a great defense against SIM hijacking.
- A suitable two-factor security method that relies on a physical device, like Google Authenticator or Authy, rather than SMS-based verification for logins. You can also spring for a hardware token to protect your accounts if you want to get really fancy.
- Strong answers security recovery questions that aren’t tied to your personal information.
- Unlinking your smartphone phone number from your accounts, where possible. (You could always use a free Google Voice number if you’re required to have one for your sensitive accounts.)
- Using long, randomized, and unique passwords for each account.
- Use an encrypted password manager.
- Don’t use your favorite services (Google, Facebook, et cetera) to sign in to other services; all an attacker needs is to break into one to have access to a lot more of your digital life.
You should also make note of important account-related information that could be used to identify you as the rightful account holder, such as:
- The month and year you created the account
- Previous screen names on the account
- Physical addresses associated with the account
- Credit card numbers that have been used with the accounts or bank statements that can confirm you were the one who made purchases
- Content created by the accounts, such as character names, if the account is for an online video game
- Similarly, keeping a list of all your critical accounts will make reacting to a SIM swaps or similar ID theft easier,
References: