FTX and the SEC Are Just the Latest Victims of SIM-Swap Scams

Here’s how to protect yourself and your employees from the surprisingly common way of taking over cellphone numbers.

BY JENNIFER CONRAD, SENIOR WRITER @JENNIFERCONRAD

FEB 7, 2024
1359965886

Illustration: Getty Images

Since the cryptocurrency exchange FTX collapsed in November 2022, a lingering question had been what happened to approximately $400 million in cryptocurrency that disappeared as Sam Bankman-Fried’s empire was falling apart.

Now, court documents suggest that the FTX theft was likely the work of a SIM-swapping criminal group with ties to Russia. And that’s not the only high-profile instance of SIM-swapping to make the news in recent weeks. In January, the Security Exchange Commission said it was the victim of a SIM-swapping scheme, in which a hacker gained control of the agency’s account on X (formerly Twitter). Hackers posted that the agency had approved the sale of spot Bitcoin exchange-traded funds one day before the approval actually came through.

Security experts have warned for years that SIM-swapping is a common entry point for hacks of bank accounts, corporate email systems, and social media profiles. And if it’s happened to you, don’t feel bad. Twitter co-founder Jack Dorsey had his account compromised in this manner and lost control of his own Twitter handle for about 20 minutes in 2019. The FBI said it received 1,611 SIM swapping complaints in 2021 alone, with victims’ losses adding up to more than $68 million.

What is SIM swapping?

A subscriber identity module (SIM) card stores information about a cellular account, including the associated phone number, and allows a phone to connect to a mobile network. If you lose your phone or you want to sign up with a new carrier but keep your phone number, you’ll generally need to port your phone number to a new SIM card.

With a SIM swap, a scammer tricks your phone company into giving them control of your phone number. The scammer can then receive authentication codes and password reset messages to that number, which in turn can give them access to crypto wallets, bank accounts, and social media profiles. In the case of FTX, it’s believed that an American woman used a fake ID at an AT&T store to impersonate a senior FTX executive and take control of her phone number. From there, the criminal group was able to receive security codes to access FTX crypto wallets.

What options do carriers offer for avoiding SIM swapping?

Last November, the Federal Communications Commission issued new rules requiring cell phone carriers to notify customers immediately if there’s a request to port their number to another account. In addition to sending a notice to the customer’s device, some carriers will send out messages by email, so it’s important to keep that information up to date.

Carriers have also added security features such as allowing customers to create an account pin to transfer a phone number, or requiring a one-time pin sent to the device or user’s account before making the transfer. You may also be able to turn off the ability to port your number to another SIM card in your account settings. Options will depend on your carrier and may not be turned on by default, so check with your carrier or look at your account settings.

What can you do to prevent having other accounts compromised?

Even if someone takes over your cell phone number, there are steps you can take to make it harder for someone to take over email, social media, or financial accounts.

Rather than receiving two-factor authentication codes by text message, some accounts offer the option to authenticate your identity biometrically using face or touch ID on your device, things that (so far) hackers have had little luck in replicating. You can also use an app–such as those offered by Microsoft and Google–that creates one-time codes on your phone. Google and other companies also offer physical security keys to confirm your identity.

Inc Logo
Top Tech

Weekly roundup of the latest in tech news