In a SIM swap scam, a conniving hacker obtains your phone number, and then calls your wireless carrier –pretending to be you- claiming to have lost the phone’s SIM card. “Can you please redirect my phone number to another SIM card?” the hacker might beseech. The customer service representative then compliantly redirects the phone number to a hacker’s SIM card, entirely unaware of the scam.
Because many online services use phone number authentication, a hacker who has swapped a SIM card –and who has also pinched your email address- could go to a site pretending to be you, click on “forgot password”, have a text message verification sent to the hacked SIM, and voila! Access the site is granted. This is where the nightmare begins.
These days, phone numbers are connected to Amazon, Netflix, Hulu, Instagram, Ebay, Paypal and bank accounts, and can be leveraged to reset corresponding passwords, providing hackers with unlimited access to your platforms (and potentially, your wallet).
Krebs on Security perfectly articulates the question forming in the back of my mind, “How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience?”
The answer remain elusive, but one thing is clear: phone numbers have become identity documents, and like government issued identity verification documents –think passport and social security card- we must protect them.
For tips on what you can do to secure your phone number, check out this article from Motherboard.