The hack that wipes you out

While ransomware continues to steal the spotlight for hacking headlines, this more personal type of attack has increased over 400% in the past couple of years, and it can literally take everything from you. The hack we’re talking about is the combination of email theft and sim swapping. For the uninitiated, sim swapping is the technique of a hacker convincing your mobile carrier that your phone has changed, and they provide the sim card details for the new phone – the one which they possess. Once successful your phone stops working, well, for you, at least. Their next step is to take over your email account, which is easily done if they have phished you, or are using stolen data about you from the dark web, and then they access your bank accounts and anything else they want. This CAN happen to anyone, and it can happen to you. Once they’re in, getting them out is more difficult than you may think – you no longer have access to your email or your cell phone. Sadly, this is a fairly simple attack, and it can be done from anywhere in the world.

Let’s step into the mechanics of how hackers are doing this, and look at ways you protect yourself. First and foremost, they have to have information on you. In many cases, this is easily obtained on the dark web, where criminals congregate. One free place to check if your information is in the wild is the website https://haveibeenpwned.com/. Enter your email address and it will tell you what information is exposed and frequently which major breach it came from. This is helpful, but there are many other ways hackers can get your information that you can’t control nor prevent.

In order to take over your phone aka a sim swap, the hacker has to have enough information on you to convince your mobile carrier they are you and you have a new phone. Of course, the other way this happens is unscrupulous mobile carrier employees, but let’s consider the deception angle. You know those security questions you’re asked about where you went to high school, what was your first pet, etc? Well, this information is often simple to obtain through social engineering or guesswork (assuming it wasn’t contained in a hacked database). In many cases, once those questions are answered, your carrier accepts them as you.

How do you stop this? We’ve long advocated that you not answer those security questions with actual information. In fact, you can put anything in those boxes. What high school did you go to? Spaghetti. Make a note of your answers, and you’ve increased the level of difficulty for the hacker.

This points to the larger problem of two-factor authentication. Whether you are using text messages or authentication apps, a successful sim swap SHUTS YOU DOWN and defeats this extra security layer entirely – they’re the ones receiving your texts.

It’s increasingly clear alternative measures are needed. One such alternative we are testing is YubiKey – YubiKey – Fast and Simple Two-Factor Authentication | Yubico (we have no relationship with this company). This separate device gets your two-factor authentication off of your mobile device and is a far superior concept for security. True, you have to carry a tiny USB type device with you, but if you have ever had your identity stolen or your phone sim swapped, you know what a minor inconvenience this actually is by comparison.

There are no easy answers, but there are recommendations. Consider answering your security questions with random answers, use complex passwords through a password manager, check haveibeenpwned occasionally, and take your personal information off of social media. Finally, consider alternatives to the current state of security defaults with a device like YubiKey or others.

Be careful online. If you feel like someone is watching you, it may just be that they are.

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.