On a Tuesday night in May, Sean Coonce was reading the news in bed when his phone dropped service. He chalked it up to tech being tech and went to sleep. When he woke up, his Gmail account had been stolen and by Wednesday evening he was out $100,000.
"This is still very raw (I haven't even told my family yet)," Coonce wrote in an anguished Medium post. "I can't stop thinking about the small, easy things I could have done to protect myself along the way."
On a Monday night in June, Matthew Miller's daughter woke him up to say that his Twitter account had been hacked. He had no cell phone service; within a few days Miller lost his Gmail and Twitter account and $25,000 from his family bank account.
In Miller's case, the attacker deactivated all his Google services, deleted all his tweets, and blocked most of his 10K followers. Once he got his phone number back from the hacker, T-Mobile let the hacker steal it a second time. "I've been considering changing my bank account number, social security number, and other accounts that are critical to living and working in the US," Miller wrote in a post. "I am also freaked out about using cloud services so my strategy at the moment is ... writing my passwords down on paper and leaving everything else off the cloud."
Both men were victims of SIM-swap attacks, where someone uses pieces of personal information to convince your cell service provider to transfer (port) your number and associated phone account to a device in the attacker's possession. With control of your phone number and account, they proceed to break into all connected accounts, usually beginning with email. The attacker changes info in your accounts so you can't get them back, sets up email forwarding in case you regain control of your email, and goes through all your cloud-stored documents looking for things of value.
It is a uniquely personal and invasive attack. Thanks to Coonce and Miller, we now know a lot more about how these attacks are done, and how terrible the destruction is. In Miller's case, we learned how unhelpful T-Mobile, Google, and Twitter were — with both Twitter and Google, Miller was stuck in a hell of filling out online account recovery forms and sending them off into an abyss of automated response. And for those wondering, Miller used two-factor (text/SMS) as an extra layer of security for his accounts. But with his phone out of his hands, it didn't matter.
Miller eventually recovered his accounts, but only because he is special: In both articles about his experience, Miller mentions his "well-connected friends" at both companies who helped him out, as well as leveraging his platforms as a tech journalist.
That is both sobering and problematic, as few regular users have this kind of privilege and access. Like you probably are right now, I'm wondering what kind of hell everyone else would be in. Engadget reached out to both Twitter and Google for comment. We did not receive a response from Twitter by time of publication.
According to Google, victims of account hijacking should fill out this claim form. The company also posted information to mitigate SIM-swap attacks and hijacks in this brief October 2018 post about (the 2018) updates to Google's Security Checkup process and sign-in security. Google also indicated that SIM swapping will not compromise a Google account that is protected by two-step verification.
Furthermore, the company said a non-SMS two-factor method (like a YubiKey) was an option only if the attacker knows the victim's password. Google recommends Google Prompt or Google Authenticator, with physical keys as the strongest form of two-factor. Google also said that SIM-swap attacks are rare and confined to specific targets, and that most people don't need two-factor stronger than SMS (text-based).
Needless to say, Google's email was a confusing response to the details we learned in the SIM-swap attack and account hijacks experienced by Coonce and Miller. And I, for one, believe that saying most people are fine with SMS as their two-factor, that most people shouldn't worry about SIM-swap attacks, is too conservative to feel like safe advice.
Especially when we consider the context of two important things. First, that we're hearing about SIM swaps more than ever and only from high-profile techies -- we won't hear about what's happening to regular people. And secondly, there was a big breach which likely made an attack typically considered a high-effort, targeted attack, into a much easier way to grab cash and steal accounts.
That T-Mobile data breach was actually a big deal
Coonce uses AT&T, while Miller uses T-Mobile and Google Fi. The SIM porting process for both networks has terrifyingly minimal security, both companies had customer pins exposed for an unknown amount of time in 2018, and T-Mobile suffered a fairly recent breach of all the info anyone needs to do a SIM-swap attack.
According to AT&T documentation, all that is required for transfer is the information one could find on a recent cell phone bill: Account number, name of the account holder, billing address, and "pin or password if applicable" — noting that the minimal billing info is all that's required if someone "can't remember" their pin or password. It is the same for a T-Mobile transfer, just info on a bill, though they don't state if a password or pin is required at all.
In August 2018, T-Mobile was hacked and the billing information of 2.5 million customers was stolen. The company reassured press by stating no financial data was compromised — but I'll bet that wasn't the point. It was all that juicy billing information, with which attackers can get way, way more by SIM porting and stealing people's phone numbers and accounts.
The day after T-Mobile's breach news, a researcher discovered that all T-Mobile and AT&T customer account PINs had been sitting there for an unknown amount of time exposed by website flaws.
Obviously, the SIM porting processes at both companies should've been made way more secure a long time ago — about the time we started to live our entire lives through our phones. But it became even more urgent for T-Mobile to do so after their massive breach. Yet they didn't, and here we are.
SOS — Save our SIMS
It would be really great if there was a security trick or technique I could offer or recommend for people to do to prevent their SIMs from being ported (swapped, stolen). Like "here's this extra, annoying security step you can add to your SIM account." The truth is, cell carrier companies haven't done much, if anything, to increase SIM security.
In January 2018, before that breach, T-Mobile quietly published a post about unauthorized SIM porting in which it recommends that customers add a secondary password to their accounts, which the company calls "port validation." However, nothing about port validation is mentioned on T-Mobile's SIM transfer information page, where a link could seriously raise customer awareness about this very serious threat.
On AT&T's "Prevent Porting to Protect Your Identity" page, little is offered outside "don't share your phone number" and "keep your inbox clean." AT&T's only extra security step on offer is "Add all 'extra security' measures to your AT&T Wireless accounts." Following that link, we learn that the "extra security measures" only make it so someone has to provide your pin when signing in online, getting secondary online access, or when in-person in a retail store.
Yeah, we're scratching our heads, too. To be clear, AT&T's extra security measures are not anything extra, they just extend pin requirements to do online and in-person account management. Like T-Mobile, no information about unauthorized SIM porting or taking extra security measures is on AT&T's customer information page on SIM transfers.
It's bad. And it probably won't change until an executive at T-Mobile or AT&T experiences the stomach-plummeting terror of having their Gmail account taken (along with Google Photos, Google Drive, Calendar, Contacts) and any number of their other accounts raided — like with Miller and Coonce, their Coinbase accounts, and financial accounts drained.
Security mistakes were made
We can, however, learn from the security mistakes Coonce and Miller made before losing their SIMs and connected accounts. Both state in their write-ups that they are not security nerds, and admit they did some lazy things with general account security that they deeply regret. Coonce wrote, "Given my naive security practices, I probably deserved to get hacked — I get it. It doesn't make it hurt any less (...)" In a heartfelt, raw plea concluding his writeup, Coonce tells readers, "I urge you to learn from these mistakes."
So it's pretty easy for attackers to steal our SIMs (port our phone numbers with the associated account onto a phone they control). Especially if you're on AT&T or T-Mobile and haven't changed your pin since all customer pins were found exposed in late 2018. That means the security mistakes Coonce and Miller are referring to aren't about securing our SIMs, their mistakes were in how their other accounts were — or weren't — secured.
If we can't protect our SIMs, we need to secure what they would give a stranger access to.
One way both men could have prevented the attackers from getting around two-factor is if they had instead used a physical USB security key, such as a YubiKey or Google's Titan, with accounts that are compatible with these keys. Yes, they can be a pain in the ass when you're in a hurry, even if somewhat conveniently carried on your keychain with your house keys. Yet if someone can intercept your text messages without you even knowing it, it's worth not losing your email account and having your bank balance drained so some jerkface thief can buy Bitcoin.
Coonce and Miller regretted having so much personal information about themselves floating around online, though it's difficult to see how anyone can prevent breach data from being passed around. Coonce emphasized that people should use an offline password manager (such as LastPass or 1Password) to create and securely store complicated passwords. This should be done instead of letting operating systems, browsers, or your Google Account save your passwords.
Miller in particular wished he hadn't used the convenient "sign in with your Facebook/Google/etc account" buttons on apps and websites. "In the past I would just click the Facebook, Google, or Twitter button to setup an account or login," he wrote. "I'm done doing that and gave up convenience for better security."