Hackers hit Twitter C.E.O. Jack Dorsey in a & # 39; SIM swap. & # 39; You're at risk, too

SAN FRANCISCO – When hackers took over Twitter's Twitter CEO Jack Dorsey last week, they used an increasingly common and difficult-to-stop technique that allows them full access to a wide variety of the most sensitive digital accounts, including social media, email, and financial accounts.

It was called SIM exchange and allows hackers to take control of a victim's phone number. Over the past few months, SIM swapping has been used to hijack online personas from politicians, celebrities and commentators such as Mr. Dorsey, to steal money around the world and just to harass ordinary people.

Victims, no matter how prominent or technically sophisticated, have been unable to protect themselves, even after being struck again and again.

"I've been looking at the criminal subway for a long time, and SIM switches bother me more than anything I've seen," said Allison Nixon, research director at security firm Flashpoint. "It requires no skills, and there is literally nothing the average person can do to stop it. "

How a SIM Swap Works

Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to swap a phone number for a new device under their

The number is switched from a tiny SIM card from plastic, or subscriber identity module, in the target phone to a SIM card on another device.

Sometimes hackers get phone numbers by calling a customer service support line and pretend to be the intended victim. In other recent incidents, hacker crews have paid phone company employees to make the switches for them, often for as little as $ 100 for each phone

When the hackers have control over the phone number, they ask companies like Twitter and Google to send a temporary login code, via text message, to the victim's phone. Most major online services are willing to send these messages to help users who have lost their passwords.

But the temporary code is sent to the hackers.

Telephone companies have been aware of the problem for many years, but the only routine solution they have come up with is providing PINs that a phone owner must enter to change device. Even this measure has proved ineffective. Hackers can get the codes by bribing the telephone company's employees.

"It doesn't seem like the world's AT&T is really doing anything to make it more difficult," said Erin West, a deputy district attorney for California's Santa Clara County and a member of a law enforcement working group focused on the problem. "I live in fear that I will replace SIM because it's not that difficult."

No US government provides statistics on the frequency of attacks. But West and others who track cases said they had become more frequent over the past year.

"Account transfer fraud is an industry problem," said Paula Jacinto, a spokeswoman for T-Mobile. "We use a variety of security measures to protect against this crime and offer customers a variety of options to help them protect their own information."

Who has been hit?

It is difficult to find out how many mobile phone users have been hit by a SIM switch. But people all over the world, from Kenya to Hollywood, have complained.

In recent weeks, the most prominent targets have been celebrities such as Mr. Dorsey, actress Jessica Alba, and online personalities such as Shane Dawson and Amanda Cerny (her second time). The hackers used the accounts to post insulting messages to millions of followers. They also had access to private communications.

Matthew Smith, who owns an Internet-focused design studio in South Carolina, has been hit by SIM switches four times – three times this year alone. Hackers had long wanted their Instagram handle, @ whale. That made him a target.

Each time the attackers gained access to his social media and e-mail accounts, Smith's telephone provider, T-Mobile, assured him that it had taken additional measures to protect his account. While he has managed to regain his social media accounts, he has not regained access to two Google email accounts that had years of communication.

In recent events this summer, after the attackers received a new email address, they contacted Mr. Smith, his family and friends to threaten him and his children with information from his accounts.

"It feels sick," Smith said. "It feels like everything you own, and you thought it was safe and yours – somebody playing with it like it's a toy."

T-Mobile said it would not comment on specific customers.

Victims have complained that after the attacks, they struggled to get help from their telephone companies, or even get someone on the line at a telephone company who understood the problem.

When recording artist King Bach lost and then regained control of his phone at the end of August, he posted an angry video on Twitter saying he had spent hours on the phone with AT&T.

"Customer service is rubbish," he said. "I couldn't get any help."

AT&T did not respond to many requests for comment.

Progress from pranks to theft

SIM exchange became popular in the hacking community years ago. Attackers were mostly interested in taking control of rare or iconic social media account names, such as a Twitter or Instagram account with just one name.

But hackers soon realized they could access more than social media accounts.

In 2016, SIM swapping gangs began targeting cryptocurrency holders. Unlike traditional banking transactions, when virtual currency is moved to a new address, the transaction cannot be reversed. US bank accounts have been less vulnerable to SIM switching because banks generally will reverse any criminal transactions.