Garrett Endicott recently was sentenced to prison for his role in a hacking conspiracy perpetrated by a criminal group known as “The Community” that stole millions of dollars worth of cryptocurrencies from their victims through SIM card swapping which gave Endicott and the other five members of “The Community” access to the cryptocurrency accounts of their victims.  SIM card swapping is a major problem.  A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information used to authenticate subscribers on mobile devices, such as a cell phone.  The SIM card is able to be transferred between different devices, and often is, when people update into a newer cell phone.  However, as more and more financial transactions, such as online banking, are now done through cell phones, identity thieves with access to their victims’ SIM cards are also increasingly becoming able to intercept security codes sent by text messages for online banking as part of dual factor authentication and thereby providing the identity thief with the opportunity to empty their victims’ bank accounts and cause other financial havoc.

SIM card swapping or porting as it is sometimes referred to is the name for the crime where someone convinces your phone carrier to transfer your SIM card to a phone controlled by the criminal. By SIM swaps, criminals can reset passwords on online accounts and request dual factor authentication codes be sent to their phones which will render dual factor authentication useless as a security measure.  Sometimes criminals contact the mobile service providers of their victims posing as the victims and trick the mobile service provider employees to swap the SIM cards to phones controlled by the criminals  Other times criminals bribe employees at their victims’ mobile service providers to achieve the SIM swap.

SIM card swapping has resulted in huge losses including one instance in which a victim had 23.8 million dollars worth of cryptocurrencies stolen from his account by someone who accessed the account through SIM swapping that thwarted the dual factor authentication used by the victim to protect the security of the account.

In a new development the Federal Communications Commission (FCC) is proposing new regulations that will require phone carriers to better authenticate customers before redirecting a customer’s phone number to a new device or carrier.  In addition, the new proposals would require phone carriers to immediately notify its customers whenever a SIM card change is requested for their phone number.

TIPS

The best protection for your phone starts with a strong password, facial recognition or fingerprint scanner.  Also, set your phone so that it locks when you are not using it.  Make sure that you back up everything in your phone regularly. Install the Find My iPhone app if you have an iPhone or the Find My Device app if you have an Android phone.  These will enable you to locate your cellphone if it is lost or stolen and also allow you to send a command to erase everything in your cellphone even if the phone has been turned off.  If your phone is lost or stolen, you should immediately contact your wireless provider to have them disable the SIM card in your phone so that your phone cannot be used by someone else.  As for protecting your phone from cyberattacks, it is important to both download and continually update security software.

Perhaps the best thing you can do to  protect your SIM card from SIM card swapping is to set up a PIN or password to be used for access to your mobile service provider account. This will help prevent a criminal from calling your carrier posing as you and convincing your mobile carrier to swap your SIM card to the criminal’s phone merely by providing personal identifying information or answering a security question.

AT&T will allow you to set up a passcode for your account that is different from the password that you use to log into your account online.   Without this passcode, AT&T will not swap your SIM card.   Here is a link with instructions as to how to set up the passcode. https://www.att.com/esupport/article.html#!/wireless/KM1051397?gsi=9bi24i

Verizon enables customers to set up a PIN or password to be used for purposes of authentication when they contact a call center.  Here is a link with information and instructions for setting up a PIN with Verizon.  https://www.verizonwireless.com/support/account-pin-faqs/

T-Mobile will allow you to set up a passcode that is different from the one you use to access your account online.  This new passcode is used when changes to your account are attempted to be made such as swapping a SIM card.  This code will not only protect you from criminals attempting to call T-Mobile and swap your SIM card, but will also prevent someone with a fake ID from making changes to your account at a T-Mobile store.  Here is a link to information and instructions for adding a new passcode to your account. https://www.t-mobile.com/customers/secure

Sprint customers can establish a PIN that must be provided when doing a SIM swap, in addition to merely answering a security question, the answer to which may be able to be learned by a clever identity thief.  Here is a link to information about adding a PIN to your Sprint account. https://www.sprint.com/en/support/solutions/account-and-billing/update-your-pin-and-security-questions-on-sprint-com.html

For those of you receiving the Scam of the day through an email, I just want to remind you that if you want to see the ever increasing list of Coronavirus scams go to the first page of the http://www.scamicide.com website and click on the tab at the top of the page that indicates “Coronavirus Scams.”  Scamicide has been cited by the New York Times as one of three top sources for information about Coronavirus related scams.

If you are not a subscriber to Scamicide.com and would like to receive daily emails with the Scam of the day, all you need to do is sign up for free by going to the bottom of the first page of Scamicide.com and typing in your email address where it indicates “Sign up for our blog.”