Here's how I survived a SIM swap attack after T-Mobile failed me - twice
Last week, I shared a horror story: My SIM was swapped. My Google and Twitter accounts were also stolen, and $25,000 was withdrawn from my bank account for a Bitcoin purchase. I thought I was targeted for my online presence. Turns out, the attack was likely driven by a Coinbase account I experimented with in early 2018 that was never closed.
While I already provided many details about my experience, I wanted to update you on the progress made to date -- while also offering some advice. Readers offered me fantastic advice in the comments to last week's article, and I sincerely appreciate all the helpful feedback, tips, and tricks.
While it was an extremely stressful 10 days, I've had the opportunity to share my story with people, including appearing on Tech News Weekly with Jason Howell, and I've had a large number of people say they updated their security settings, noted some of the key recovery information I shared in that first article, and took a closer look at their cloud usage practices. I've personally made a few changes -- see below -- that I hope better secured my account, but there remains one area of concern that still has me worried.
Also: Wave of SIM swapping attacks hit US cryptocurrency users
US wireless carriers are the weak link
It appears the weak link in the chain that broke first and let the hacker gain access to my Gmail -- which in turn led to hacking my Coinbase, Twitter, and other accounts -- was my mobile carrier. In early 2018, T-Mobile issued a press release regarding unauthorized porting (SIM swapping) with some additional steps customers could take. I did not see this message, but I had a PIN on my account that I believed would help keep things secure. It turns out there is a PIN for when you call into customer service, but there is also a second PIN -- a 6- to 15-digit port validation PIN -- that you should also add. Had I been using this second pin, my SIM swap may have been prevented.
The thief was likely able to find enough personal information about me online to convince the T-Mobile representative that he was me; without the port validation PIN setup, they let the thief steal my number. And once my number was no longer in my control, the floodgates were open for the hacker to take over my other accounts using SMS authentication methods.
Interestingly, T-Mobile required a verification text message and code be sent to one of the other four phones in my family plan before the representative would transfer the number back to my physical SIM. I asked that T-Mobile require the same family plan phone verification if someone tried to steal my phone number again, since that adds another level of verification to my account. I also asked that T-Mobile note in my account that my phone number should remain associated to my physical SIM that is currently in my iPhone XS.
Two days later, T-Mobile let the hacker steal my phone number again. I was outraged that someone calling to port out my number twice in two days didn't raise any red flags, and there was no verification through the other phones in my family plan. T-Mobile was only able to make sure I had a port validation PIN enabled on my account. It's a mystery to me why this port validation PIN was not added the first time the hacker stole my phone number, and it shows me that T-Mobile needs to get more serious about this problem.
Thankfully, a senior person at T-Mobile was able to provide what I asked for -- that no changes be made to my account without first requiring that the person goes into a physical T-Mobile store and show an acceptable identification card. I also asked that they continue the practice required of me: Sending a verification text to another phone in my family plan. I haven't tested this out yet, but honestly, I am not too confident that my number will remain secure with me moving forward.
I don't have all the answers on what US wireless carriers can do to help customers with SIM security, but this issue needs to be taken more seriously. If there is an account holder like me with multiple lines, the least T-Mobile could do is require one or more other phones to validate the move through text message verification. Even though it is inconvenient and crooks may steal or fake IDs, going into a retail store to port out a number might help, too. If nothing else, T-Mobile could at least increase security when port outs look like a tennis match with the rightful owner and the crook moving the SIM back and forth in an attempt to gain control.
Companies like TeleSign are trying to stop these types of attacks with carrier data (specifically: date/time of last SIM swap) and I hope wireless carriers will provide this data, since it is a fairly simple/obvious solution to the problem.
Wired has a story about carriers working with banks that makes perfect sense and is easy to implement. I would love to see Coinbase and other cryptocurrency platforms work similarly with carriers to help stop a problem that seems to be growing.
Also: SIM hijacking ring which stole millions in cryptocurrency dismantled by feds
Getting my Google account back
It is very important to immediately go into your Google account and make sure you have as many means of recovery enabled and recorded in case your Google account is hacked. The only data I had available at first that the hacker did not change was one email address. I entered that and then received an automated email from Google that it was looking into things and that it could take three to five business days to get back to me.
The hacker figured out I still had that email in the recovery sequence, so they later changed that email too, leaving me with no other means to verify the account was mine... or so I thought.
One of the many bits of information Google lets you enter for recovery is the month and year you started using Gmail. My wife came up with the brilliant idea to check when I last sent an email from my old Yahoo account and that must have done the trick.
Exactly five business days after I started asking Google to help me recover my account using the recovery process, I was provided access back to my Google account. While I had a friend who hooked me up with someone with connections at Google, it turns out that the standard recovery process available to everyone is what ended up working for recovering my Google account.
As much as Google knows about me from many years of using its services, it amazes me that it couldn't automatically trigger an alert that someone was trying to takeover my account. With all of the data these services collect, it sure would be nice if that data was also used for security purposes.
While I was able to get my Google account -- and subsequently my Google Fi service -- back up and running, things were a mess. All my labels, filters, and other settings were gone. All the emails eventually came back, but I'm still working through cleaning everything up. Google Photos, Google Drive, Calendar, Contacts, and more all appear intact.
Getting Twitter back
During the first week of my attack, Twitter would do nothing to help me get my account back. It required me to verify things only through my Gmail account, which I couldn't access. The hacker blocked more than 6,000 people, deleted all my Tweets from 2006 until 18 June 2019, unfollowed everyone, and moved my account to private. My follower count dropped from nearly 10,000 to about 3,000 in a week.
After I recovered my Gmail account, I thought it would be a simple process to regain control of my Twitter account, so I filled out the form again. Twitter sent me an email that stated it was unable to verify me as the account owner, but I could always open up a new Twitter account. I've been on Twitter since July 2006 and am Twitter user number 2821, so it's actually pretty easy to verify I am the account owner.
Thankfully, a well-connected friend talked to someone else who had connections at Twitter, and through those connections I was able to prove to Twitter that I was the account owner, and I regained control of my Twitter account. Without this connection, I don't know if I would have ever regained control of palmsolo.
If you suffer a Twitter security breach with the hacker blocking lots of people, try these handy scripts to unblock folks and help you get your Twitter account back in order.
If you are interested in what I post there, I would greatly appreciate a follow on Twitter with my palmsolo account.
Status: What's resolved and unresolved
In my first article, I was quite angry and frustrated with T-Mobile, Google, and Twitter, especially since I am a paying customer of two of those services. In the end, a bit of patience was required to reach resolution, and I am very thankful that my week of pain was fairly minor compared to victims that have suffered massive monetary losses, extreme identity theft, and more. Here's where everything stands in regards to my SIM swap attack:
- Resolved: T-Mobile, Google, and Twitter accounts are back in my control
- Resolved: Removed unblocked accounts in Twitter and remained verified on Twitter
- Resolved: Google Photos, Drive, and Calendar data remains intact
- Resolved: Bank data removed from Coinbase and account locked; account login and passwords changed; all saved password data removed from Google account
- Unresolved: T-Mobile phone could still be susceptible to attack
- Unresolved: Nearly 7,000 Twitter followers lost and all past Tweets deleted
- Unresolved: Gmail labels, filters, and some emails were not recovered
Security
Steps to protect yourself from SIM swap scams
As my story makes painfully clear, I am not a security professional. I made some rookie mistakes. There is some excellent advice in the comments to my post from last week, and I'll continue reading through those to find gems that I will implement moving forward. As of now, here are some of the steps I've taken that you may want to consider.
- Stop using convenient methods to setup accounts. In the past I would just click the Facebook, Google, or Twitter button to setup an account or login. I'm done doing that and gave up convenience for better security.
- Remove all personal and financial information from Google Drive and OneDrive. For now, I've moved all that data offline to physical hard drives. I plan to use cloud services only for photos, videos, and other data that has no privacy concerns.
- Create unique strong passwords for every site. I was lazy before and often used the same three to five passwords on most websites.
- If possible, use two-factor authentication means other than SMS. You can try methods such as Google Authenticator, Authy, physical means such as Yubikey, or solutions provided by your bank or other online service. My bank supports CyberCode Text and CyberCode Token options that should help increase security. I'm also in the process of setting up the Advanced Protection Program hardware from Google.
- Make sure hackers do not enable any form of auto-forwarding of your email to another account.
- Turn off the offer to save passwords. Then delete all saved passwords in both the Settings > Passwords and Google Account > Password Manager areas. I had over 320 passwords saved here that the hacker had access to when my account was taken over. I'll be entering passwords manually for a while until I figure out a safer option.
- Close any unused accounts, especially cryptocurrency accounts. I was able to eventually login to my old Coinbase account and remove my bank from the account. I then had the Coinbase folks suspend my account. (I only used the account once to buy a $200 in Bitcoin just to see what all the fuss was about. But I but wasn't comfortable enough to continue without further researching cryptocurrency.) Apparently, this one-time Bitcoin purchase was the primary reason my accounts were hacked.
- File all the reports I mentioned in my earlier post (FTC, local police, credit reporting bureaus) and work with authorities to help catch the criminals. I found some very interesting data in the security events log of my Google account, so make sure to check out this area of your account if it is ever hacked and you regain control. Hopefully, this data leads to an arrest of the person who stole my account and attempted to steal $25,000.
Vice has a comprehensive guide to not getting hacked that you should read and put into practice. The weak link in many of these hacks is the SMS authentication and SIM swapping, so hopefully we will see US wireless carriers step up and help prevent unauthorized porting of our numbers.