SIM Swapping Defense: Mobile Account Takeover Prevention

TL;DR

SIM swapping attacks transfer a victim’s phone number to an attacker-controlled SIM card through social engineering mobile carrier support. Once successful, attackers intercept SMS 2FA codes and password resets, enabling account takeover of financial, email, and cryptocurrency accounts. Defense requires carrier-level porting protection, eliminating SMS 2FA in favor of authenticator apps or hardware tokens, and implementing account recovery procedures that don’t rely on phone numbers.

Table of Contents

• How SIM Swapping Attacks Work
• Why SMS 2FA Is Vulnerable
• Real-World Attack Targets
• Detection Methods
• Defensive Countermeasures
• Organizational Protection Strategy
• Summary
• Sources
• Important Links

How SIM Swapping Attacks Work

SIM swapping (also called SIM hijacking or port-out scam) redirects a victim’s mobile service to an attacker-controlled SIM card without physical access to the victim’s device.

Attack Flow

Phase 1: Target Selection and Reconnaissance

Attacker identifies high-value targets:

• Cryptocurrency holders (checked via blockchain explorers for large balances)
• Executives with access to corporate accounts
• Individuals with valuable social media handles (short usernames, verified accounts)
• High-net-worth individuals identified through OSINT

Reconnaissance sources:

• LinkedIn (employment, role, location)
• Social media (phone number leaks, carrier identification)
• Data breaches (leaked PII: SSN, date of birth, addresses)
• Public records (property ownership, business registrations)

Phase 2: Social Engineering Mobile Carrier

Attacker contacts victim’s mobile carrier (Verizon, AT&T, T-Mobile, etc.) claiming to be the victim:

Method A - Technical Support Social Engineering:

Attacker: "Hi, I lost my phone and need to activate a new SIM card."
Carrier Rep: "Can you verify your account?"
Attacker: [Provides stolen PII - name, DOB, SSN last 4, address]
Carrier Rep: "Verified. What's your new SIM card number?"
Attacker: [Provides attacker's SIM ICCID]
Carrier Rep: "SIM activated. Your number is now active on the new card."

Method B - In-Store SIM Swap: Attacker visits carrier store in person with fake ID matching victim’s information. Requests SIM replacement due to “damaged SIM.”

Method C - Insider Bribery: Attacker bribes carrier store employee to perform unauthorized SIM swap. 2023 Report (FBI IC3): 15% of reported SIM swap cases involved carrier employee complicity.

Phase 3: Service Transfer

Once carrier activates attacker’s SIM:

• Victim’s phone loses signal (shows “No Service”)
• Victim’s phone number now routes to attacker’s device
• Attacker receives all calls and SMS meant for victim

Phase 4: Account Takeover

With control of victim’s phone number, attacker performs:

SMS 2FA Bypass:

1. Attacker goes to victim's email (Gmail, Outlook)
2. Clicks "Forgot Password"
3. Selects "Send code via SMS"
4. SMS code arrives at attacker's phone
5. Attacker resets password, gains email access

Cryptocurrency Wallet Compromise:

1. Attacker accesses victim's Coinbase/Binance/Kraken account
2. Initiates password reset via SMS
3. Disables existing 2FA
4. Transfers cryptocurrency to attacker's wallet

Financial Account Access:

1. Attacker accesses victim's bank/brokerage
2. SMS-based password reset
3. Initiates wire transfers or ACH withdrawals
4. Victim discovers theft hours or days later

Time Window

Attack duration: 15-90 minutes from SIM activation to account compromise.

Why rapid? Victim will notice “No Service” and contact carrier. Attacker must complete account takeovers before carrier reverses SIM swap.

Why SMS 2FA Is Vulnerable

SMS-based two-factor authentication is fundamentally insecure because it relies on phone number ownership—a transient, carrier-controlled property.

The Phone Number Ownership Problem

Traditional ownership assumption: “If someone receives an SMS at this number, they must possess the phone associated with this number.”

Reality: Phone number routing is controlled by mobile carriers. Carrier support can redirect routing with minimal verification.

Comparison to other 2FA methods:

SS7 Protocol Vulnerabilities

Beyond SIM swapping, SMS has additional security issues:

SS7 interception: Signaling System No. 7 (SS7) is the protocol mobile carriers use to route calls and SMS. SS7 has no authentication—any party with SS7 access can:

• Intercept SMS messages
• Track phone location
• Forward calls

Cost of SS7 access: $1,000-$5,000 one-time fee (underground forums).

2025 Reality: SS7 attacks are not common against individuals due to cost, but SIM swapping is cheaper and more reliable for attackers.

Regulatory Gaps

NIST SP 800-63B (2017) officially deprecated SMS 2FA for high-security applications:

“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators.”

Despite this: Banks, cryptocurrency exchanges, and email providers still widely use SMS 2FA as primary or fallback authentication.

Real-World Attack Targets

SIM swapping is not theoretical—it’s a multi-million dollar criminal enterprise.

Cryptocurrency Theft

2018-2023 Losses: FBI estimates $68 million stolen via SIM swapping attacks targeting cryptocurrency holders.

High-profile cases:

Michael Terpin vs AT&T (2018):

• Victim: Cryptocurrency investor
• Loss: $24 million in cryptocurrency
• Attack: AT&T employee performed unauthorized SIM swap
• Lawsuit: Terpin sued AT&T for $224 million (settled for undisclosed amount)

2019 Twitter Hack:

• Target: Twitter employees
• Method: SIM swap enabled access to internal admin tools
• Result: Compromise of verified accounts (Barack Obama, Elon Musk, Bill Gates)
• Cryptocurrency scam tweets posted from verified accounts

Executive Account Takeover

Business Email Compromise (BEC) via SIM Swap:

Attack chain:

1. SIM swap CFO's phone number
2. Access CFO's Office 365 via SMS password reset
3. Send wire transfer instructions to AP team
4. Funds wired to attacker-controlled account

2024 Example (Undisclosed Fortune 500 Company): CFO’s phone number SIM swapped during overseas travel. Attacker gained email access, sent fraudulent $4.8M wire transfer request. Transaction completed before fraud detected.

Social Media Handle Theft

Valuable usernames (short handles, OG names, verified accounts) are targeted for:

• Resale on underground markets ($500-$50,000 depending on handle)
• Extortion (demand ransom to return account)
• Impersonation for fraud

2020 Case: “@jack” Twitter Handle Hijacking Attempt Attackers attempted SIM swap of Twitter CEO Jack Dorsey. Temporarily succeeded, posted offensive tweets. Twitter regained control within 20 minutes.

Detection Methods

Individuals and organizations can implement monitoring to detect SIM swap attempts.

Individual Detection

Immediate indicators:

Phone shows “No Service”:

• Most obvious sign
• Occurs within seconds of SIM swap completion
• If phone suddenly loses service in an area with normal coverage, assume SIM swap

Cannot make/receive calls:

• Test by calling own voicemail
• If voicemail prompt appears but phone still shows service, not SIM swap
• If call fails entirely, likely SIM swap

SMS delivery failures:

• Send yourself a test SMS from another device
• If message doesn’t arrive within 30 seconds, investigate

Carrier app alerts:

• T-Mobile, Verizon, AT&T apps may send notifications for SIM changes
• Enable push notifications for all account changes

Organizational Detection

MDM (Mobile Device Management) monitoring:

If organization issues corporate phones via MDM (Intune, Jamf, Workspace ONE):

Alert if:
  Device IMEI changes (different physical device)
  Device loses connectivity for >5 minutes
  SIM ICCID changes

SOC monitoring for suspicious account resets:

Alert if:
  Executive account password reset during off-hours
  Multiple password reset attempts in short window
  Account recovery initiated for high-privilege users
  2FA methods changed (especially removal of app-based 2FA, addition of SMS 2FA)

Carrier account monitoring:

Set up alerts with corporate carrier:

• Notify security team for any SIM changes on executive lines
• Require secondary approval for SIM activations
• Enable port-out protection (see defense section)

Defensive Countermeasures

Mitigating SIM swap risk requires eliminating SMS dependency and hardening carrier account security.

Carrier-Level Protection

Enable SIM/Port Lock (Varies by Carrier):

T-Mobile (T-Mobile Account Takeover Protection):

1. Log in to my.t-mobile.com
2. Profile → Line settings
3. Enable "Block SIM changes"
4. Set 6-digit PIN for SIM changes

AT&T (Number Transfer PIN):

1. Log in to att.com
2. My AT&T → Profile → Sign-in info
3. Set "Wireless passcode"
4. Required for any porting or SIM changes

Verizon (Number Lock):

1. My Verizon app or verizon.com
2. Account → Line settings
3. Enable "Number Lock"
4. Prevents unauthorized porting

Effect: Carrier requires PIN/passcode before allowing SIM swap. Social engineering must now obtain this additional secret.

Limitation: Some carrier employees can bypass PIN with manager override.

Eliminate SMS 2FA

Replace SMS 2FA with authenticator apps:

Google Authenticator, Authy, Microsoft Authenticator:

• Generate time-based one-time passwords (TOTP)
• Keys stored on device, not tied to phone number
• SIM swap does not compromise TOTP codes

Migration process:

For each account using SMS 2FA:
1. Go to account security settings
2. Add authenticator app 2FA
3. Scan QR code with authenticator app
4. Verify TOTP codes work
5. Remove SMS 2FA as 2FA method
6. Keep SMS only for account recovery (if unavoidable)

Critical accounts to migrate:

• Email (Gmail, Outlook)
• Financial (bank, brokerage, PayPal)
• Cryptocurrency exchanges
• Password managers (LastPass, 1Password, Bitwarden)
• Corporate SSO (Okta, Azure AD)

Hardware Security Keys (FIDO2/WebAuthn)

YubiKey, Titan Security Key, Thetis:

• Physical token required for authentication
• Phishing-resistant and SIM-swap-proof
• Supported by Google, Microsoft, GitHub, Coinbase, etc.

Setup:

1. Purchase hardware key ($20-$50)
2. Go to account security settings
3. Add security key as 2FA method
4. Physically touch key to authenticate
5. Remove SMS 2FA

Best practice: Register 2+ keys (one primary, one backup stored securely).

Account Recovery Hardening

Problem: Even with strong 2FA, account recovery often falls back to SMS.

Example vulnerable flow:

User: "I lost my 2FA device"
Service: "No problem, we'll send a code to your phone"
Attacker with SIM swap: [Receives SMS, bypasses strong 2FA]

Hardened recovery:

• Recovery codes: Generate one-time backup codes, store in password manager or physical safe
• Account recovery contacts: Designate trusted person who can verify identity
• Identity verification: Require government ID upload for account recovery
• Waiting period: Force 24-72 hour delay for recovery, with email notifications

Gmail Advanced Protection Program: Requires hardware security key AND 72-hour waiting period for account recovery.

Organizational Protection Strategy

Enterprises must protect executive and high-privilege user accounts.

Executive Protection Program

Enroll executives in carrier protection:

• Work with enterprise carrier account manager
• Enable maximum security settings on executive lines
• Require in-person verification with government ID for any SIM changes

Issue corporate hardware tokens:

• YubiKeys for all executives and privileged users
• Mandate hardware key as primary 2FA
• Disable SMS 2FA organization-wide for executive accounts

Monitor for social engineering attempts:

• Security awareness training specific to SIM swap threats
• Simulate SIM swap scenarios (with executive consent)
• Train executives to immediately report “No Service” incidents to security team

Policy Enforcement

Conditional Access Policies (Azure AD, Okta):

IF:
  User is in "Executives" group
  AND 2FA method is SMS
THEN:
  DENY access
  REQUIRE hardware token or authenticator app

Account recovery policies:

IF:
  User attempts password reset
  AND user is high-risk (exec, admin, finance)
THEN:
  REQUIRE approval from security team
  NOTIFY user via multiple channels (email, Slack, phone call)
  ENFORCE 24-hour waiting period

Incident Response Plan

SIM swap detection and response:

If executive reports “No Service”:

1. Immediately assume SIM swap attack
2. Contact carrier NOC (dedicated enterprise support line)
3. Verify SIM ICCID on account matches executive's physical SIM
4. If mismatch, revert SIM activation
5. Enable emergency account lockdown:
   - Freeze all password resets
   - Disable email forwarding rules
   - Block new device enrollments
6. Forensic analysis:
   - Review all account activity during SIM swap window
   - Check for unauthorized password resets
   - Audit financial transactions

Summary

SIM swapping attacks exploit weak carrier account verification to hijack phone numbers and bypass SMS-based authentication, enabling widespread account takeover.

Key Takeaways:

• SIM swaps redirect phone service to attacker’s SIM via social engineering carrier support
• SMS 2FA is fundamentally insecure—phone numbers are not cryptographically bound to devices
• High-value targets: cryptocurrency holders, executives, and accounts with valuable usernames
• Detection: Phone shows “No Service” is immediate red flag
• Defense: Enable carrier port locks, eliminate SMS 2FA, use authenticator apps or hardware tokens

Defensive Strategy:

• Layer 1: Enable carrier-level SIM/port locks with secure PIN
• Layer 2: Replace SMS 2FA with TOTP authenticator apps
• Layer 3: Deploy hardware security keys for critical accounts
• Layer 4: Harden account recovery to not fall back to SMS
• Layer 5: Monitor for “No Service” incidents and rapid response procedures

When to Worry:

• High-value individual (crypto holder, executive, verified social media)
• SMS 2FA as primary authentication method
• No carrier-level port lock enabled
• Account recovery defaults to SMS
• Employees unaware of SIM swap threat

When You’re Protected:

• Carrier port lock enabled with secure PIN
• Zero accounts using SMS as 2FA (fully migrated to TOTP/FIDO2)
• Hardware security keys for critical accounts
• Account recovery requires identity verification + waiting period
• Security awareness training includes SIM swap recognition
• Incident response plan for “No Service” reports

Risk by Account Type:

SIM swapping is cheap, fast, and effective. The only reliable defense is eliminating SMS from authentication and recovery flows entirely.

Sources

1. FBI Internet Crime Report 2023 - SIM Swapping Statistics

2. NIST SP 800-63B - Digital Identity Guidelines (SMS Deprecation)

3. FTC Consumer Alert - How to Protect Yourself from SIM Swapping

4. CISA - SIM Swapping and Account Takeover Services Alert

5. Princeton University - The Security of Mobile Banking (SIM Swap Analysis)

6. Cloudflare Blog - What is SIM Swapping and How to Prevent It

7. Michael Terpin vs AT&T Case Documents (2018)

8. Krebs on Security - SIM Swapper Sentenced to 18 Months

9. T-Mobile - Account Takeover Protection Documentation

10. Verizon - Number Lock Feature Guide

11. FIDO Alliance - Strong Authentication Specifications

12. Google Advanced Protection Program

Important Links

1. YubiKey Hardware Tokens - FIDO2 security keys

2. Google Titan Security Key - Google’s hardware token

3. Authy Authenticator App - Multi-device TOTP authenticator

4. Google Authenticator - TOTP app for iOS/Android

5. T-Mobile Account Takeover Protection - Enable port lock

6. AT&T Wireless Passcode Setup - Number transfer PIN

7. Verizon Number Lock - Port protection guide

8. FIDO Alliance - Phishing-resistant authentication standard

9. Have I Been Pwned - Check if your phone number leaked

10. Google Advanced Protection Program - Maximum account security for high-risk users