Detective on the Case:
Det. Sammy Marlowe
Detective’s Notes (transcribed):
Sammy Marlowe: As an old friend of Ken’s, I was the first person he called. The subject was in significant distress. Below is a transcript of our phone call.
Ken: “Hello, Sammy. It’s Ken. Umm . . . I’m freaking out.”
Sammy: “Ken, relax. What’s going on?”
K: “I was out on vacation, and my cards started getting declined. I lost a ton of money, and someone hacked into my social media account. The CEO’s breathing down my neck over a tweet that I didn’t even write. I’m gonna get fired and—”
S: “Ken, calm down. Take a breather, kid. First off, is this your personal cell? This isn’t your office’s area code.”
K: “No, I used my friend Emma’s.”
K: “My work phone stopped working.”
S: “Hmm. What’s the phone say? Does it say anything about a SIM card?”
S: “You have the phone handy, right? Check the upper right corner. Does it say anything about a SIM card?”
K: “Yeah. It says, ‘No SIM card inserted.’ What does that mean?”
S: “Ken, listen to me. Your company, they issued the cell phone, right?”
S: “OK. You were likely a victim of a SIM swap scheme. Basically, someone hijacked your phone. All texts and calls for you are going to the criminal’s phone. That’s how they’re getting into your accounts. Your company can prevent these in the future. And hopefully, you should have some protection in your bank account for the withdrawals.”
K: “Sammy. Can you explain this to my CEO? She’s really upset, and I may lose my job.”
S: “OK. Let me explain to her. And let me give her some tips—she could be opening her workforce to a lot of attacks if her IT department doesn’t close this gap.”
After this, I proceeded to speak with Ken’s CEO. I explained the scam and that the fault would lie more with faulty security practices rather than negligence on Ken’s part. I also gave her some important pointers on how to prevent this from happening again.
SIM swapping is an identity-theft scam that’s becoming increasingly common. Cybercriminals don’t need expert-level coding chops to hack into peoples’ accounts and upend their lives. They simply need some reconnaissance tools, basic information about the mark, and a little bit of patience.
It begins with a SIM card. These cards sit in cell phones and store basic information about the account like the phone number, billing information, and carrier information. If someone loses their phone or has it stolen, they can call their phone company and transfer their phone number and information to a different phone with a new SIM card.
While this is convenient for phone subscribers, it’s also convenient for criminals. Often, all they need is some information about you, like your phone number, name, home address, and phone carrier. Plus, they can often get more sensitive data (like social security numbers) on the Dark Web. You could easily have your info out there already if you were part of a major public data breach, such as the huge collection 1 data dump from earlier this year, where more than 770 million email credentials were disseminated via the Dark Web.
All they need to do is call the provider and get them to transfer the phone to a new SIM card. After that, they can start receiving all your text messages and phone calls. Crucially, this lets them reset usernames and passwords for accounts that send one-time passwords and recovery codes via text or phone.
In Ken’s case, the hackers were able to get into his work and personal email, then used that foothold to break into his bank account, social media accounts, and more. It’s pretty much game over at this point.
Many experts say there isn’t much you can do to fight against SIM swapping. On the one hand, this may be true. Once an attack starts, the criminal can do a ton of damage in short order.
However, this viewpoint is way too limited. If you prepare for the attack first, you can either mitigate the damage or prevent the attack altogether. Here are some tips:
There’s certainly more you can do if you’re paranoid, but these tips should get most people started.
It’s a dangerous world out there. Cybercriminals constantly look for new ways to exploit their victims. To keep your customers safe (and paying), you need to stay on top of the latest threats. Just follow these tips and you might save yourself—and your clients—a world of hurt.
Built for MSPs by MSPs, SolarWinds Passportal + Documentation Manager is an encrypted and efficient password and credential management solution, offering credential injection, reporting, auditing, password change automation and privileged client documentation capabilities—designed to streamline the technicians’ day by providing essential documentation at their fingertips to standardize service delivery and expedite issue resolution. SolarWinds Passportal can help you manage risk, shorten incident resolution times, meet compliance for credential creation, usage, and storage. To find out more click here.
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.