The UK's National Crime Agency (NCA)—working alongside the US Secret Service, Homeland Security, the FBI, Europol, and the District Attorney's Office of Santa Clara California—spearheaded the arrest of eight British citizens in the UK and Scotland, aged between 18 to 26, for a string of SIM swapping attacks that occurred in 2020. These attacks targeted thousands of people and netted some high-profile victims such as online influencers, sports stars, and musicians.
SIM swapping, also known as SIM jacking, is the act of illegally taking over a target's cell phone number. This can be done in a number of ways, but perhaps the most common involves a social engineering attack on the victim's carrier.
Claiming to be the number's owner, attackers call the carrier and persuade them to transfer it to their own SIM card. Because these attacks don't scale up easily, they are typically used in a targeted way. Before an attack like this is carried out, it is expected that an attacker has already done extensive research about their target, to the point of eliminating any doubt from third-parties.
After an attacker has successfully hijacked their victim's mobile number, they can use it to send and receive calls and messages (and the victim can't). For that reason, SIM swapping can be used to circumvent two-factor authentication (2FA) that requires a manually-entered code, sent by SMS message. The consequences can be particularly bad if the victim has an online cryptocurrency account protected by SMS 2FA codes sent to their phone.
According to Europol, the gang used the SIM swaps to "steal money, cryptocurrencies and personal information, including contacts synced with online accounts". It said that the gang went away with more than $100M USD worth of crypocurrency.
"SIM swapping requires significant organization by a network of cyber criminals, who each commit various types of criminality to achieve the desired outcome," says Paul Creffield, Head of Operations in the NCA's national Cyber Crime Unit, in a statement, "In this case, those arrested face prosecution for offences under the Computer Misuse Act, as well as fraud and money laundering as well as extradition to the USA for prosecution."
The gang also took over the social media accounts of their high-profile targets "to post content and send messages masquerading as the victim."
As 2FA has become more widely used, SIM swapping stories have become a mainstay of the computer security news. Jack Dorsey, CEO of Twitter, had his Twitter account hijacked in 2019, and when a Florida teen gained access to Twitter's backend systems and took over the accounts of Bill Gates, Elon Musk, Barrack Obama, and Kanye West in 2020.
While SMS-based 2FA is better than no 2FA protection at all, there are a number of more secure forms available now. Where users have a choice, we encourage them to use hardware keys or FIDO2 devices, or app-based 2FA instead.