When hackers recently took over Twitter account of Twitter CEO Jack Dorsey, they used an increasingly common technique that gave them full access to a wide range of the most sensitive digital accounts, from those on social media, through emails, to bank accounts.
This technique is called SIM replacement, and with it, hackers can take control of the victim’s phone number.
It is used to take over the online identities of politicians and prominent figures like Dorsey in order to steal money or simply harass ordinary people.
Victims, regardless of their technical background, generally fail to protect themselves.
“I’ve been involved in this type of crime for a long time, and SIM replacement worries me most than anything I’ve encountered,” said Alison Nixon, director of research at security firm Flashpoint.
“No special skills are required and there is literally nothing to stop the average technology user from doing something like that.”
Criminals have learned how to persuade mobile operators to transfer a certain phone number to a device that is under their control. The number is transferred from the tiny plastic SIM card from the victim’s phone to the SIM card in the other device.
Hackers sometimes obtain phone numbers by contacting the operator’s customer service pretending to be the person they want to defraud. In some cases, hackers even bribed employees of telephone companies to replace SIM numbers, and often it was about the sum of only one hundred dollars.
When hackers take control of a phone number, they ask companies like Twitter and Google to send a temporary login code to the victim’s phone number, and the code actually reaches the hackers.
Phone companies have been aware of this problem for years, but the only solution they can offer for now are the PIN codes that the phone owner must enter into the device. However, this measure also turned out to be ineffective, as hackers also obtain these codes by bribing employees in telephone companies.
“It just seems like those companies aren’t doing anything to make it harder for hackers,” said Erin West, deputy district attorney in Santa Clara, California. “I live in fear that the same thing will happen to me because it’s not at all difficult to do it.”
Experts dealing with this problem believe that cases of SIM number replacement have become more frequent in recent years. Authorities in South Africa said more than 11,000 incidents were reported in the country last year, three times more than a year earlier.
People all over the world, from Kenya to Hollywood, complain about situations like this.
Matthew Smith, who owns a design studio in South Carolina, has been the victim of a SIM replacement four times – three times this year alone. Hackers have long wanted his nickname on Instagram, @whale.
The last time they hacked into his emails, hackers contacted Smith, his family and friends, threatening him and his children with information they had gathered from his accounts.
“Someone plays with everything you own and considered safe and their own as if they were toys,” says Smith.
Those who own cryptocurrencies are often targeted. Unlike traditional banking transactions, when a virtual currency is transferred to a new address, the transaction cannot be canceled.
Security experts are concerned that hackers could use these methods to attack more relevant targets. Recently, the phones and social media accounts of several Brazilian politicians have been compromised.
Fabio Asolini, a researcher at the Kaspersky Lab, himself lost his phone number last year in an attack like this.
“This is a technological problem because we use old technology that is not designed to be secure for sending security codes,” he says.