What is a SIM Swap Attack?

A SIM Swap Attack (SSA) is a form of identity theft and fraud in which a malicious actor assumes ownership over the SIM Card of a victim’s phone. While typically a social-engineering attack, done by impersonating the victim in a call to the phone company and making a request to have the data moved onto a new –attacker controlled— card, a SIM Swap can also be performed as a physical attack, where the victim’s SIM Card is physically stolen either temporarily or permanently.

Why is SSA So Harmful?

SIM Swapping is an extremely potent attack due to the nature of the modern security infrastructure to rely on the SIM Card as a form of identity verification. Aside from strong and unique passwords as well as good security hygiene, the best form of account security at this time is Multi-Factor Authentication (MFA), sometimes also known as “2 Factor Authentication (2FA).” MFA will request a “One Time Password” (OTP) after a successful login attempt against the account to double-check that the user is authorized. This OTP can come via many methods:

1. Application-Based OTP

   1. This is an application installed on the user’s computer or (more likely) cellphone which holds registered accounts (accounts signed up for MFA with it) and generates a new random code every thirty seconds for each account.

      1. Pros:

         1. Short life of the OTP creates a high level of security.

         2. Codes can be accessed without an internet connection.

         3. Convenient to access.

      2. Cons

         1. Device dependent, complex challenges if the device is lost or stolen.

         2. Initial setup and linking of the application to various accounts.

2. Hardware-Based OTP

   1. Very similar to Application-Based, but instead of a software application holding the codes this is a physical device which the user can carry on their person.

      1. Pros

         1. Extremely secure and resistant to most forms of attack.

         2. Codes can be accessed without an internet connection.

      2. Cons

         1. Cost of hardware.

         2. Device dependent, extremely complex challenges if the device is lost or stolen.

         3. Some hardware can be bulky to carry around.

3. SMS-Based OTP

   1. When signing into an account the account will distribute a text message or phone call to the phone number registered on the user’s account, providing an ad hoc OTP with a short-lived validity.

      1. Pros

         1. Easy setup

         2. Ubiquitous

      2. Cons

         1. Most vulnerable to Sim Swap Attacks.

         2. Reliance on cell providers and uninterrupted service delivery.

4. Email-Based OTP

   1. Same as SMS-Based, but via the email registered on the user’s account.

      1. Pros

         1. Easy setup.

      2. Cons

         1. Most vulnerable to Email Compromise Attacks.

         2. Reliance on ISP and Email providers’ uninterrupted service delivery.

         3. If email is compromised, puts the most power directly into the attacker’s hands.

When a SSA occurs, and the attacker successfully migrates the mobile identity of the victim onto a new device, the most significant challenge is the attacker’s ability to bypass nearly all of these additional security checks. The attacker can open the victim’s Google or Apple account onto the new device, installing all apps the victim has in their Play Store/Apple Store library, having access not only to the destination of SMS and Email-Based MFA checks, but also to the application which holds codes for the Application-Based MFA Checks.

The new device will likely require passwords for initial access to the emails and applications, but even if the password is not known by the attacker, access to receive incoming text messages for the registered number is often all that is required to do a password reset on any given account.

Once full-compromise is achieved, the attacker can then choose to do a number of things including but not limited to:

1. Excommunication

   1. Locking the victim out of services

2. Impersonation

   1. Making financial transactions or defaming the victim

3. Cloning

   1. Forwarding all communications (text, phone, email, social media) to another device

How To Recover from SSA?

Preparation

Assuming that the victim has not been excommunicated by the attacker, there are a variety of steps to take to recover accounts and reinforce oneself from future attacks. It is important that these steps are taken within a very short time-frame, as the attacker may use lingering access to retake possession of assets which he/she has lost.

1. Create a list, on paper, of all assets; this paper should be guarded absolutely in a secure location. Do not assume that assets you personally access from your phone are the only accounts at risk, plan to reset everything. This list should be prioritized into Critical, Important, and Non-Important.

   1. Examples of Critical Accounts: email, messaging, banking, investment, VPN, work, home utilities, any other account that charges your credit card or withdraws from/deposits into your bank.

   2. Examples of Important Accounts: social media, entertainment services, non-email-connected storage, non-email-connected calendars.

   3. Examples of Non-Important Accounts: gaming, general websites which are insignificant but still require login, anything you log into and receive/transmit information on which does not fall into Important/Critical

For the victim’s specific circumstances, these examples may fit into other categories than suggested, for example a hardcore gamer may consider their gaming account to be critical infrastructure while a street person may consider their banking account to be important or non-important. The details must be determined by the victim, but the important concept at play here is to classify into a multi-tiered pyramid of concern ranging from “I log into it but they can have it for all I care” all the way up to “If I could no longer access this ever again my life would be in chaos,” and simply keeping in mind that things like email are almost always critical for the simple reason that your email is what lets you in to everything else, so with access only to an email account an attacker could perform password resets on any other account; consider too how your emails are setup – an email which is not used to log in to anything important may be set as the recovery email for your primary email, so the secondary resets the primary and then the primary resets the critical infrastructure. Always be aware of the web of relationships between accounts.

Now that you have a list of accounts in order of concern, you will want to reset all the passwords. Create three passwords – one for each tier. Create these passwords on paper in a secure location and protect the security of this paper at absolutely all costs.

General Principles of Password Creation

DO THIS:

1. 16 or more characters in length

2. A variety of lowercase, uppercase, numbers, and symbols

3. Use multiple symbols and numbers.

4. Use either no dictionary words at all, or else use three or more dictionary words which are at least five characters in length each and are not related to each other.

DO NOT DO THIS:

1. Put your number/symbols all in one group.

2. Use any words/ideas that are implied by the service you’re logging into (such as something visible on the login, home page, or URL bar)

3. Use the word “password” in any form.

4. Use anything related to who you are:

   1. Name of anything (you, children, spouse, pet, imaginary friend, et cetera), hometown, address, work/field related, favorite anything (sports team, athlete, movie, song, artist, lotto numbers, colour, et cetera), year of anything (anniversaries, birthdays, historical events, et cetera)

Examples of strong passwords and passphrases (Do not use any of these, make your own):

1. @Str0ng!3Xa8#Tb7t3ra8Y73

2. 5qF!9wDc$2YrP1eAj&6Y(oL

3. Zz#7vBn6*Ei2oL$KLI92434

4. mOuntain$jUmpy@River5Swims!

5. Chocolate-Sunset9-Beach76+abSolution

6. purplE$starS$giraffE7dancE+AFfirM

The password/phrase which you create for your critical accounts should be longer and more complex than the important accounts, as the important accounts should be compared to the non-important; but the baseline of non-importance should still follow all of these standards.

Why the Heck Should I Memorize a Password Like That!?

Password complexity is of critical importance and becomes more critical with each passing year as Moore’s Law continues to scale. Moore’s Law states, essentially, that “[the capacity of a] microchip doubles approximately every two years, leading to an exponential increase in computational power [at exponentially decreased costs].” To say it more plainly: the ability of an attacker to guess your password is becoming easier and cheaper with every passing moment.

The “guessing” of a password we will define for the moment as “brute-forcing.” Essentially, if an attacker has your email/username, they will try the password “a” and then “b” and then “c”, and then “aa”, “ab”, “ac” until they have tried every possible combination of letters through to “zzzzzzzzzzzzzzzzzzzzz”.

So let us say that your password is “password”. This is an 8-character password of only lowercase letters, which means that each character has only 26 possibilities. This is 26^8, or just shy of 209 billion possibilities. A general-purpose desktop computer, using freely available software, can brute-force at a rate of 100 million guesses per second, which means that all 26^8 possibilities will be tried in about 34 minutes.

More likely, your attacker will know enough about you to know some of the things you like, some of your important dates, some of your history and present in terms of locations/sports teams/hangouts/hobbies, and will be able to use this information to bring the 209 billion possibilities down to a mere 100 English words related to your life and a list of 20 numbers/dates related to your life. Assuming you have a password that is in the list they made, with the first letter of the word capitalized and the number either at the beginning or the end, this results in 4000 possible combinations, which will fall to a brute-forcing attack in 0.00004 seconds.

This is only the math on a general-purpose desktop computer. Professional attackers with industrial-grade “Cracking Rigs” have been reported to crack passwords at the astonishing rates of 350 billion guesses per second! Luckily, such hardware is still significantly cost prohibitive, so it is safe to assume (for the moment) that the person attacking you is operating somewhere in the millions of guesses per second.

So why use these long, hard to remember passwords? Simply because of the math. A scramble of lower/upper/numeric/symbolic represents 128 unique possibilities per character space, and with a 16-character password this creates 128^16 possible combinations, which is 340.3 undecillion possibilities. For clarity, here is the exact number written out:

340 282 366 920 938 463 463 374 607 431 768 211 456

At 100 million guesses per second, this would take 107 trillion years to crack. Even at 350 billion guesses per second, it would still take 30 billion years.

As Moore’s Law continues to scale, these numbers will come into the realm of possibility given enough time. The difficulty here is of course the convenience to the end user (you). Password phrases instead of passwords (as are examples 4, 5, and 6 above) can help make memorization easier while still maintaining a high enough level of complexity to be secure, so long as the words you use are not related to your life or related to each other in some guessable way; and so long as you maintain the security of however you choose to record the passwords for yourself when you do eventually forget exactly what one of them was.

Execution

Now it is time to start pulling triggers and recovering your accounts. This is the most vulnerable time as the attacker may become notified of what you are doing and attempt to thwart your efforts. The following is best done as rapidly as possible. Depending on how many accounts you have and whether or not you have MFA already setup this may take longer than you would assume. I recommend setting aside a full day, though in certain cases it may take multiple days.

1. Recover Your Phone Number

   1. Call your phone service provider and inform them of the situation.

   2. After verifying your identity, ask them to secure your account with an additional PIN code.

      1. This PIN should NOT be any PIN you currently use.

      2. It should NOT be related to any numbers which are easily guessed (birthdates/anniversaries et cetera)

      3. This may be an arduous process to properly identify yourself, even if you have proper documentation. Keep in mind that they are attempting to protect the account from a SIM Swap Attack, and any attacker calling in to perform such an attack would likely also have all of your personal information and secrets.

   3. Write your new PIN on your secure paper with your passwords.

2. Recover your Application-Based MFA

   1. This step is only necessary in the case that you have an MFA application which is not allowed to be present on multiple devices. Browse to the website of this application and lookup their device resetting policy to follow the instructions.

   2. This could take several days while they repeatedly contact the account owner (you) and attempt to verify that an SSA is not occurring.

3. Recover Your Email Accounts

   1. Go to the login panel of your primary email provider and click the Reset/Forgot Password link, follow the instructions, and use your Critical Grade password when prompted.

   2. Once reset, login to your email account and go to Settings.

      1. Do not use the application, navigate to the provider’s browser-based website to get access to the full-scope of features.

   3. Search Settings for “Forwarding” options.

      1. Make sure emails are not being forwarded to any unknown addresses.

   4. Search Settings for “Recovery”

      1. Make sure that there are no unknown addresses in your recovery emails or phone numbers.

      2. Change the questions and answers for all of your “Security Questions.”

         1. Security Questions are a terrible feature of modern protections, the questions typically provided (Name of First School, Name of Favorite Childhood Pet, et cetera) are not only things that anyone with an internet connection could look up about you, but the answers to these questions often comes up in casual conversations! Just think, every time you mention the high school you attended you are potentially giving an attacker the secret he/she needs to bypass your banking login!

         2. In order to protect yourself against this subpar feature of modern security, it is recommended that you do one of the following when answering such questions:

            1. Make up false answers – they should be memorable so you will recall them easily in a year, but they should not be something that is true about you.

            2. Use a shorthand or longhand response – tell the truth, so you don’t forget what the answer is, but write the answer in a very special way. So, if you went to Highschool High you might write “H-i-g-h-s-c-h-o-o-l H-i-g-h” or “hIgHsChOoL HiGh” (try to develop your own short/longhand; since this document contains these, anyone who reads it and knows you have read it will try these codes first)

   5. Search Settings for “Security” and then for “Multi-Factor Authentication.”

      1. If MFA is not set up, set it up.

      2. If MFA is set up, then disable it first before setting it up again.

      3. It is up to you which MFA method you will use, based on which pros and cons you prefer to deal with.

   6. Each provider will differ slightly in their Settings layout, if you cannot find a setting ask Google or ChatGPT where the setting is at for your provider.

   7. Now, repeat steps A through E for all email accounts.

4. Recover All Other Accounts

   1. The process is the same for all accounts: 1) Change the password, 2) Confirm that the web of related assets is all approved, 3) Reset or Set MFA.

   2. Proceed down the Pyramid of Priorities from Critical to Non-Important, the attacker’s influence rests primarily in your critical assets, so we want to secure these first and foremost, starting always with the emails themselves because they are the reset points.

5. Going Further with Accounts

   1. Many accounts will have settings which will send notifications when any login or login attempt occurs against the account; most banks will have such settings so that any login attempt or transaction against the account notifies a given point of contact. This is a great way to keep constant vigilance over account access and usage.

   2. Ensure that the email or phone which these alerts will be sent to is secure. If you have been compromised, it is recommended that such an account be a newly created account with MFA and a password of recommended complexity.

Now you have successfully recovered your accounts!

Going Further

If you wish to enhance your account security even further, then some or all of the following is recommended:

1. Download two password managers such as LastPass, Keeper, KeePass, or Bitwarden.

2. Create a Master Passphrase – this should be 20+ characters in length, with upper, lower, symbolic, and numerical characters. There should be 3+ symbols and 5+ numbers.

3. Memorize this password; write it down only once for quality assurance and keep the paper it is written on in a highly secure location, such as a safe deposit box at a bank.

4. Use the master password to setup one of the password managers.

5. Setup MFA on this password manager.

6. Enter all of your accounts into this manager EXCEPT your primary emails and other top critical accounts (the critical of the critical).

7. Go through all of your accounts again and reset the passwords to a completely random 16+character alpha-numero-symbolic sequence (the application will have settings to create these automatically for you).

8. Set a randomized password like this for every account.

9. Enter the other password manager, using the master password again, do not set up MFA this time.

10. Enter all of your “Critical of the Critical” accounts into this password manager.

11. Once done, export the entire database of the second manager into a JSON or CSV file on a USB drive.

12. Delete from the password manager all accounts (ONLY this one, leave the first manager as is).

13. Lock this USB drive in an extremely secure location, such as a bank’s safe deposit box.

Now, as long as you have memorized your complex master password, you can easily log in to your password manager and pull the passwords you need when logging into an account. It is important that this master password is as complex as suggested, because if it is guessed then the attacker will have complete access to everything, which would be bad.

Your most critical accounts which you have removed from the second database will require either persistent access (keeping them logged in on your phone/laptop), or access to the secure location. If you need into these accounts, you can grab your USB drive, plug it into your computer, “Import” the files in it to look at and use in the second manager application, and then repeat the “export and delete” process when done.