SIM-Swap is a popular hacking method that exploits the two-factor authentication codes sent via text-based SMS messages and could be used to gain illegal access to Facebook, Twitter, or any other digital platform including banks that use SMS messages for two-factor authentications.
Sadaf Khan, a journalist, and the director of Media Matters for Democracy, during her regular use of Facebook, got a notification via her email that there were unsuccessful attempts made to log into her account from a host in Lahore, Pakistan. Upon closer investigation, she realised that the same host had attempted to log into her account a number of times in the past couple of weeks.
Fearing the worst, she decided to immediately change her password. In line with the global best practice, she had enabled the two-factor authentication on her phone, which meant that Facebook was to send her a ‘password reset code’ on her mobile phone through a text-based SMS, in order to identify it was indeed Sadaf Khan trying to change the password.
However, something strange happened. She expected a text message from ‘sender_ID’ titled ‘Facebook’, instead, she got this:
The password reset key, as expected did not work. She realised in minutes that her account was compromised. Thankfully, owing to meticulous recovery options provided by Facebook, she was able to able to recover her account under 10 mins, but the damage was already done. The time was enough for the hacker to download personal images, messages, videos, and any other personal data including private posts.
Could this be a fluke? Did the hacker just get lucky, or is it an established, proven technique, being used to target Internet accounts in an organised manner?
Abbas, another prolific Internet user residing in Rawalpindi, faced a similar predicament attempting to change his Facebook password. He received similar messages from an unauthentic source, with an incorrect code.
Needless to say, his Facebook account was also compromised. But how did it happen?
These attacks broadly involve intercepting the password reset codes sent via text-based SMS messages. It is much easier to intercept and read SMS messages because of their un-encrypted nature. SIM-Swap attacks operate with the same basic principle and are known to be highly effective. A testament of their effectiveness is the hacking incident where Jack Dorsey himself, the founder of Twitter, lost access to his Twitter account through a similar attack.
Although, in a classic SIM-Swap attack, the attacker tricks the mobile phone companies into issuing a duplicate SIM card of the victim, thereby having full access to his/her mobile communications, including the SMS messages. The attacker then proceeds to initiate the ‘password reset’ process of his/her desired platform (Facebook, Twitter, or even a bank account) and uses the password reset code sent to the victim’s number, which is now effectively in the possession of the attacker himself. However, a broad category of attacks based on the manipulation or the interception of password reset codes through text-based SMS messages could also be referred to as the ‘SIM-Swap attacks’ for the ease of understanding. They, albeit, require a slightly more sophisticated approach, which may or may not include interception of SMS messages or even a back-door app installed on victim’s phone allowing the attacker access to victim’s SMS messages.
How to protect yourself against ‘SIM-Swap’ or similar attacks?
Thankfully, protection is easy, and no, it doesn’t involve de-activating the two-factor authentication as believed by many. Here are a few pointers that can help you avoid these attacks:
Use 3rd party encrypted authenticators: Facebook and many other platforms allow for a 3rd party authenticator service to safely (through encryption) send password reset codes to the users, without compromising on the security. One such service is Google Authenticator. You can enable Google Authenticator on various platforms including Facebook, and receive the password reset codes through in-app communication which is both encrypted, and safe. Click here if you wish to know more about using Google Authenticator with Facebook.
Use three-factor authentication for bank transactions: Most banks allow for three-factor authentication, wherein password reset codes, or a code to approve specific activities such as online payments, are sent to both, the email addresses and the mobile phone through SMS messages.
Keep an eye out for strange characters and sender identity: password reset codes are only sent through official means of communications, often with a sender identify titled ‘Google’, or ‘Facebook’, or depending on the service you are using. Any message coming through a private phone number should raise red-flags.
Never install apps with doubtful sources: a simple
What to do if your account is hacked?
For starters, don’t panic! Most online platforms, including Facebook, have meticulous measures in place to allow users to recover their accounts. It is, thus, rare for an attacker to maintain the possession of your account if you have taken even the most basic of steps to ensure a safe recovery. Here’s what you need to remember while recovering your account:
It can be hacked again: Move quickly, and change your two-factor authentication method from SMS to either Google Authenticator, or temporarily to a safe email address. Change the password immediately after, and review the recovery options just to be sure.
Assess the damage: Most platforms, after a successful recovery, let’s you automatically delete any content (text, pictures, videos) that might have been posted on your timeline by the attacker. Make sure you document any such activity if you see it.
Report to the authorities: Your account could have become an accessory to a cybercrime. It is always important to report this activity to the FIA’s cybercrimes division. Click here to report.
Let us know if you need help: You can always send us an email to firstname.lastname@example.org should you have any questions, or need our help.
Asad Baig is an Islamabad-based journalist. He is the founder and the executive director of Media Matters for Democracy, Pakistan’s leading media development organisation. He’s also the CEO of the Media Lab, country’s first and only incubator and accelerator for digital media startups. He tweets at @asadbeyg.