Last week, TechCrunch reported that an unsecured database of over 419 million Facebook users’ records was online, and it had apparently been there for at least a year. Information included Facebook IDs (easily linked to usernames) and telephone numbers. No passwords, so, you might ask, what’s the big deal? The big deal is: telephone numbers are the new cybersecurity vulnerability of which many are not aware . . . but they should be.
Many consider mobile phones secure, dismissing encouragement to install (and use) antivirus and VPN apps on their mobile devices in the same way they would on their laptop or desktop. While some understand the threat of unsecured wi-fi, most do not consider the vulnerability of cellular service. The potential for man-in-the-middle or other potential attacks flow directly from the mobile user’s actions, and cause and effect are clear: If you do your banking or purchase an item with your credit card via your phone using a compromised wi-fi or cellular connection, that information can easily be stolen, for example.
However, new incoming threats posed by a third party actor armed with a database of mobile numbers like the database of Facebook IDs/numbers found online have emerged as threats to even the most security-conscious users. So far, these threats have largely flown under the radar outside of the cybersecurity community.
Smishing and SIM-swapping attacks aren’t grabbing the headlines in the same way emerging reports of malware in both Apple and Android apps have flooded Twitter in the past weeks, alerting users to the immediate threat of apps that will turn their camera on or otherwise compromise their privacy and security. But smishing and SIM-swapping are no less a threat to your online privacy and cybersecurity.
As discussed in an earlier post, SMS + phishing = smishing. That is, the phisher contacts you by SMS text rather than by email, but the approach is similar (if briefer). In the case of a smish, the malware is in a link in the text.
SIM-swapping takes more effort, with the target specifically selected by the hacker. With mobile number in hand, the hacker approaches the service provider to obtain a SIM card for your number and, once they do and pop it into a phone on their end, your phone goes dead and the hacker controls your phone–and everything on it, like your banking apps. Or, as folks suspect happened to Jack Dorsey (Twitter CEO), control your social media accounts.
And, while those are the direct and most terrifying threats, the fact is most folks who use multi-factor authentication employ SMS text or email for 2FA. Depending on how robustly you protect your credentials, a SIM-swapped phone could possibly allow access to a broad swath of your online life. (See how Android malware intercepts texts and 2FA codes.)
How Do I Protect Myself?
How to protect yourself? Basic steps include:
- Limit the amount of information you provide to third parties, and be selective about which third parties you provide any information to.
- Keep current on what sensitive data of yours has been breached by using a safe source for this info on the clear web. (Yes, unless you live under a rock, you exist in a dark web database.)
- Safeguard your credentials by practicing good password hygiene.
- Do not respond to randos–by email or text.
- Keep your phone protected with antivirus and VPN. (See our Cybersecurity Resources page.)
Think you have enough stuff to be worth someone’s effort to SIM-swap? Then:
- Limit what mission-critical parts of your online life (e.g., financial accounts) can be accessed via your mobile phone.
- Set a PIN on your mobile account.
- Use a separate phone (e.g., a burner) or a Google Voice number for an otherwise unused, isolated account for your 2FA. You can also:
If you’re next level, say dabbling in cryptocurrency, you may want to follow some special measures.
Updated: 09 October 2019