Sim Swap Hack Explained

There "could" be, but not always, depending on the context of the account and the country you live in. A SIM card is basically a little flash drive that plugs into your phone and stores activation, account, and authentication data for connection to cell towers. A SIM card in of itself doesn't actually store a phone number on it, but rather an ID associated with your carrier for that SIM. If you were to give your SIM card to another person then they could definitely hack you, without question. However, if you deactivated that account with the carrier then that SIM 'ID' behind the scenes will not be able to connect to that phone number any longer, despite being the SIM that was used in the past to connect to that number.
It's similar to a credit card. Once you close that account nobody could buy anything with that credit card, but do you really want somebody to have your old credit card?
So as general advice I will always recommend that you do not sell your old SIM cards. When you are done with it, cut it up and discard it just like a credit card just to be certain nobody else will ever have access to it or any information stored on it. Or give it back to your cell provider as some ask for them back.
In your case if you already sold a phone with a SIM card still in it and/or forgot about it, call your cell provider immediately and make absolutely sure it's cancelled. In some countries (like in India) one number is forever associated with one SIM card 'ID'. You still shouldn't get hacked if that SIM was deactivated on the providers end though.

@@JoshChristiane OK, this is for the US and is Verizon. Yes it was just sold.

You should be okay, I wouldn't worry too much about that. But just to be safe call Verizon and make sure that sim is deactivated for that number. The same thing happened to me once many years back but with a computer. I sold a Mac and when I formatted the drive the OS failed the format and aborted it without telling me, then reverted back to my data. The lady who got the computer was able to sign into all my accounts... Luckily she was nice and emailed me to let me know the issue.

No. It’s not connected to anything. Info is erased completely

@@JoshChristiane Beyond having that risk to yourself, the less blank sims there are out in the world the less sim swap fraud can happen.

You're very welcome :) Much appreciated comments.

@@JoshChristiane this is a bot btw bruh

Great question. In many countries (but not necessarily yours) they'll give you one in person. Some newer companies only mail them. In the Twitter hack somebody went to an ATT office in person, claimed to be Jack Dorsey, showed the fake docs, and they believed him. Then they issued him a new sim card in the store at that moment for immediate activation. Not every store or brand will do this, but around the world it's shockingly common. E-sim is becoming a lot more popular for a reason, but even E-Sim has similar issues.

@@JoshChristiane Thanks for the reply and explanation👍🏻

Also I am using google/ microsoft authenticator for every app I can now. Unfortunately many email sites only use a phone number as a backup, which evidently can be worse than just having no 2FA.

I'm really sorry this happened to you, it's such a massive let-down any time I hear about it. We trust technology and the people who make it, until something like this happens and we realize the true level of incompetence going around. I use Google Auth for anything I can as well, but you are correct in saying many only allow 2FA phone number. I've chosen to pick excellent (unique) passwords for every important site and skip phone authentication, which worked out to my advantage when somebody tried to sim swap me years ago.
I hope you recover all of your accounts fine and didn't lose anything too important.

@@JoshChristiane Yep luckily everything was refunded by paypal. In the process of getting a new sim now.

@@JoshChristiane Unique password not a solution in phising or keylog vs attacks situation for my knowledge. If I trust to only unique pw, these attacks will gonna grave harm too anyway.

I completely agree. And sometimes they do, but sometimes they don't. Not to mention how easy it is in many countries to fake an ID, that doesn't help any.

What do you mean when you say will the cell phone be hit? Do you mean the data on the cell phone being at risk?
Generally info or data is not stored on a sim card anymore. They're just used for confirmation with the tower. It's like a security pin. So you shouldn't lose any data on your phone.
There is a risk potentially that using the sim card activation through the towers that they could change your passwords to your accounts and possibly access your photos or videos stored in the cloud.
Since cloud data isn't on your phone but rather it's on a server, they can potentially access that server with your phone number confirmation through SMS. This is part of why cloud storage is dangerous.
I recommend you change all of your passwords and deactivate 2 factor authentication as fast as possible on every account.

If the SIM card is inserted in an unregistered or activated condition, what is the probability that it will be affected?
And if the cellphone is not connected to the internet. Will it still be affected?

The likeliness in that case is not an issue if the sim isn't registered. Internet itself has no effect, because SIM cards don't necessarily use internet (although some E-Sims do), the design of a SIM card is only as an activation tool for use on the cell networks. Global cell networks are generally connected through cell towers, so even without internet they can still activate or deactivate.

However, if I put it back into my hacked cellphone. And reactivate it. Will your previous cellphone be affected?

Nope. Should not effect the previous phone at all once the sim is pulled out.

That's horrible! Switch over any accounts you can while still possible. If 2FA is required then there may be nothing you can do except contact the companies to lock the accounts until you figure out your phone number situation. In the future if 2FA is required, either don't do it, or opt for the Google authenticator instead.

Awesome, thank you!

Hello, thanks for saying that. You're very nice :)

Thanks for sharing, yeah I heard about the Walsh hack. It's crazy that people are still able (and willing) to do this.

Great question, and I like the way you framed it. The phone number itself isn't what is dangerous, it's more so your accounts being recoverable through 2FA. So if you had an email for example that had 2FA recovery set up then somebody could change the password (via "forgot password" recovery) and steal it out from under you. Same with bank accounts, and basically anything else using 2FA. It's something we don't think much about until it happens.

@@JoshChristiane I’m getting the picture. So they can use the forgot password or the username to send themselves a message to reset it. Assuming they have your email and where you bank. Another reason to keep PII close to the vest… and use other methods of 2fa. I noticed my carrier has SIM card protection. Any opinion about that? Could someone still whine and cry 😢 enough to convince the carrier to let them swap the sim anyway?

I'm not sure who that is, but I googled it and apparently somebody famous did get scammed. Such a shame whenever this happens, hope he gets his money back somehow.

@@JoshChristiane it's called karma, he scammed people too so that's what he deserves

@@JoshChristiane hell nah lmfao Kankan scams his high school fans

Meee 😂😂😂

Exactly, you got it. So imagine you were using 2FA on your account and a hacker somehow gained access to your phone number (through e-sim hack or sim swap), then the hacker would go to "reset password" or "lost password" and you can usually reset a password solely using that second factor auth, from there you can change emails, passwords, everything. Not all websites work this way as some require independent verification from both sources. Most do not though, as 2FA is meant in practice to be a way to get an account back if you lost access to the first source as well, such as an email. This is why some people have lost basically everything digital from 2FA. Dedicated authenticator apps (Authy, google) are getting a lot more popular for this reason, but they have their own pitfalls as well.

@@JoshChristiane Many thanks!

This is how a modern day Soviet Union would be created

You got it.

You are so welcome! Thanks for watching!

You're right, which is concerning. Google Authenticator is for sure the safest route, but it does come at the cost of permanent loss if the person isn't careful. A lot of people are lazy and just set it up and forget to write down or save the backup keys for Authenticator. If your phone is stolen, if it breaks, or you lose it then those keys are lost forever. There are risks to basically every option, which is the nature of life I suppose. OTP and SMS have their own issues, obviously.

@@JoshChristiane I recently got hacked but caught it in time, I can't find an answer for an alternative to the OTP which most of my accounts use in the UK, AND THE PHONE COMPANIES ARE VULNERABLE WITH sim SWAPPING.

The only option I see is to have a second SIM just for two 2FA. A two SIM phone Would be useful here, as the second number would not be tied to any of your personal information like email, contacts and websites

@@JoshChristiane Another issue is most phone companies do not do phone number port freeze here

You're completely right. It seems stupid to me how the system is designed, but I don't see a lot of effort made to fix it. People are sort of complacent with being victims as long as it's rare. But for the people who's identity is stolen they start to see it differently, and it's really not THAT rare, people just don't care until it happens to them. There are a couple companies now providing services to the wealthy and famous for ID and confirmation for SMS, they're basically a third party, the same idea as a second SIM basically for 2FA... But that's an added cost most normal people don't want to deal with.

Excellent point. I use two phones. One for all of my apps, networking, socials, and one for security measures. Keeps everything separated nicely.

A lot of bank account logins require SMS or 2FA to login, so it's not entirely unrealistic to assume a person doesn't notice within 24 hours (soon enough) and the money goes out, or they lose access and don't regain access for a day or two. The other thing with wire transfers is that once the money is sent it's already gone. It takes 24 hours to show up in the account due to SWIFT international transactional system, but once a wire is sent it can't be undone. Wire transfers are generally non-reversable... Unless it was the bank itself that made the mistake, then they're held accountable. So not only is this "hack" possible, but it's done every single day to a large number of victims.

@@JoshChristiane thanks for your reply, really helped understanding deeper 👍

More than one person can assuming you're referring to crypto wallets. Which wallet specifically are you referring to? And are you referring to the public or private keys?

Really good questions. SIM card lock is designed to protect your local SIM card and/or its contents from theft. So if somebody steals your phone they can't use your SIM card in another phone unless they know its password. It's a very useful function to protect you against 2FA and account theft if you were mugged or your phone was stolen. It does not however protect you from SIM swaps, as that's an issue with effectively duplication. The cell tower basically ignores your SIM and automatically redirects that number to another SIM whom the hacker created using identity theft. It's just a complex form of identity theft, less so a hack, yet it falls under the hacking category.
eSIM does actually protect against SIM swap hacks, but it doesn't protect against other forms of IoT and middleware attacks, it's actually more suspectable to other vulnerabilities, thus it never caught on in America. Wish I had included that information in the video haha, I suppose I could make another on those subjects.

That sounds like malware or a hacker for sure. I would backup my photos and important stuff, then completely reset my phone back to factory default. That way if there are any hardware level rootkits or anything like that you can be sure to get rid of them.

Glad you think so, thanks! :)

Agreed, thanks for watching!

Potentially yes. But that doesn't protect you from rogue apps, viruses from WiFi, man in the middle attacks, and a plethora of other security issues. You can never truly be safe when it comes to crypto unless you write down your seed manually and save that somewhere secure. Even then it's a risk because somebody could break into your house and steal it. Storing crypto is actually insanely complex, I'm working on a video currently about the very topic, actually.

@@JoshChristiane bro pls make a video how to store your crypto pls

You're welcome 😊

Yeah exactly, eSim is certainly a lot safer... But being able to switch sims can also be a safety feature in some cases (if you need to switch a targeted number physically without connectivity or shut a line down immediately). There are still ways to hack SMS though if you go through the cell provider directly and fake an identity for the account itself, but that's a lot harder obviously.

I find it odd that your local store didn't inspect the sim card. Generally if your sim card stops working that's because the contacts either corroded (from humidity), or there was wear and tear from taking the card in and out (most people don't do that). A sim card failing on its own is extraordinarily rare, to a point that it just doesn't happen. If your sim card was deactivated then the store would have known right away, but that assumes the employees were competent enough to check based on your concerns. It is entirely possible you were hacked. When a cellular provider issues a new sim card for a previously existing number, that automatically deactivates any previous sim cards (yours for example). So it's very likely the company issued a new sim card to somebody other than yourself. What you should not worry about would be him stealing your info from the sim itself, as sims don't carry much info. But your concern should be focused around the protection of your 2 factor authenticated accounts. For example let's say you have a Google or Apple account with private photos on it, assuming you use 2FA, then a hacker could sim-swap you, then reset your passwords using 2FA to gain access to those accounts, that's in part why 2FA is actually very insecure. This is why the industry is trying to drop 2FA in favor of Google and "Authy" Authenticators. While they aren't perfect either, they're a LOT safer than 2FA. As far as would the store rep know about it... I doubt it to be honest. Most people that work for cellular companies really only are sales people, they're not privy to the actual technology itself. It is VERY possible somebody either did hack you, or at least attempted to. My advice would be to go through ALL of your vital accounts, and check previous logins. You can check which devices are logged in and where. And I recommend you change all of your critical passwords while you're at it. For now you might want to avoid 2FA if this evil person continues to stalk you as well. People often give away critical information on accident online through social media (birthday's on Facebook, etc).

Thank you. I really appreciate the detail and your time. So this was actually a few months ago, September. None of my critical passwords got changed and I recently changed the important ones. But I’m worried about how much of my info he was able to obtain while he had my number activated such as contacts, pictures, videos, or possible passwords. I’d say I didn’t have my service for 4 - 6 hours altogether. I haven’t gotten any suspicious emails or logins at the time or since. But idk if he’s saving it for later time. Definitely getting rid of 2 factor authentication, thank you. Unfortunately, he was a friend previously so he knows where I live and he knows my birthdate and where I work.

*update
I contacted a tech agent with my carrier. They said the number was not activated outside of the store location or on a different device. So I’m still wondering if he had something to do with the SIM failing. I only had it 3 years. Never ejected it once while having the device it came with…

If it was only 4 to 6 hours it's also possible the network carrier just went down, then came back up later after you replaced the sim. Maybe that's too coincidental, I'm not sure on the exact logistics and details. I hope the carrier is telling you the truth and you are secure. Since this happened months ago it sounds to me like you may be in the clear. If this guy keeps giving you issues you can report him to the police, and possibly get a restraining order issued from the court in your district. While a restraining order won't stop him from showing up at your front door, it will give you leverage if he ever does because he'll be committing a crime. Stalking is a deeply complex subject, and where the line is drawn between legal and illegal stalking is equally as blurry. Following somebody on social media, googling them, doing background checks on them, and even following them in public places are all legal. It becomes stalking when they go above and beyond the definition of "reasonable". Hacking into accounts, spying inside your windows on your property, using fake accounts on social media to send you threats, mailing threats to your home address, etc. If these things are happening to you then I recommend you report it to your local police right away if you haven't already. Until then you're best off just ignoring him. Block him on everything, and just force him to move on. Sorry about that though, life is never simple when bad actors enter your life.

Thanks!

They won't have your phone data, just your number access. Which they can use to reset all of your passwords. They could potentially access your social media, cryptocurrency accounts, banking info (depending on the country), send themselves your money, whatsapp, whatever else. It's obviously extremely damaging. So many sites (like Google) rely heavily on 2FA, so having access to your number can potentially be devastating. I hear stories almost daily of people losing all of their money and access to their accounts. Sometimes the hacker will then use access to those accounts to hold them hostage, then demand you pay them money or they'll delete all of your data (like a UA-cam or Instagram account for example). They would have full access to your icloud or google drive as well. In terms of financial theft it will greatly depend on how you store your money. Much of the world stores their cash in apps these days (like What's App and Cash App), and this makes it EXTRA easy to rob you of all of your savings. If it's a traditional bank it's harder because they have to send an actual wire. Basically the only way to avoid this is to use Google Authenticator INSTEAD of SMS whenever possible on any account that allows that. Thanks for the great comment!

@@JoshChristiane Thanks for the great response! Have been wondering for a long time where the vulnerabilities lie. So then after a sim swap, an attacker would need to know your google account id (gmail address) as well, in order to compromise a google account. And probably if they have your email address, and take over your email, they can go after any account/service that uses email as the account id and will send a password reset links? One wonders if companies will even let attackers in even if they don't have account id, based on other identifying information.

The first thing you should do is call your service provider. Call them right away and tell them to disconnect or "stall" the line until you've recovered your accounts. You don't want anybody getting access to your accounts through 2FA, so get that line shut down as fast as possible and let them know you've lost access to your number. From there it's about securing accounts before you re-instate your phone service.

@@JoshChristiane sir I have called butt there are not replying me

@@JoshChristiane past 3 days that have done and it going on I don't know what to do

Keep calling them. And if they continue to ignore you then drive to their office where they sell phone plans. You can always deal with them in person. Who is the cellular provider? I'm sorry that's happening to you, I know it must be horrible.

@@shaikhkaif5536 This man spends hundreds of thousands of time just to help us. He helps those in need while also helping us. He always puts a smile on our faces and we should appreciate it. Hats off to Him! I love you dude. Crazy I've never payed attention to the *Apex Deft* on the internet movement when I say ancestral your a gift to our people

Well exactly. The issues you're talking about are what every person deals with when trying to perform such a complex case of what is effectively identity theft. But it happens every day, so people are finding ways around these problems. A big part of the issue isn't even identity but it's the lack standards that cell providers have adopted for security and authentication.

@@JoshChristiane my friend used sim swapping to steal people’s bitcoin wallets and he’s got £470k in bitcoin now

@@inthelittlelightning I'm not surprised. There are a lot of horrible people out there who will steal when given the chance. I personally want to help people avoid being victims of such scams.

That's a good question and point. In a lot of countries around the world people keep their money in what we might consider as "insecure" banks. Banks that are entirely digital and only require 2FA from your phone in order to access your funds and complete transfers. Even in the United States you could technically hack into some accounts using only 2FA to reset the bank password, logging on and verifying yourself, and then transferring money out via wire or otherwise available options. It's a sad reality, but it does happen to thousands of people every day.

@@JoshChristiane all these is concerning, its a failure on both the telco and bank part to protect us, recently my brother who works at bank told me people keep losing tons of money everyday, its worst than what is reported in local media. The banks suspect its user downloading non verified apk files but i think its just putting the blame on the users or its a combination of sim swapping, fishing etc to make that happen because they never receive any calls, sms TAC, not even a notification from the relevant bank's app for BIG transfers.
Right now i'm cleaning up all my online banks accounts back to good old physical FDs lol
just leave 1 for online shopping.

You are absolutely correct. Systems always love to blame the customer for failures on the company's part. It's great talking to somebody that's sharp and knowledgeable about what's going on. You're smart for going back to physical, lol.

I literally never even heard about that, haha.

That depends I suppose. If they did a sim swap on your number then used that to authenticate a Google or Apple login in order to see photos of yours saved on the cloud then yes, it's possible. But if you saved the photos onto your local phone drive (which is always safer) then no, definitely not. Any private photos of yours should NEVER be saved onto any cloud service or server. All private photos should be in a locked folder on your local device (which Android offers).

W user

I have 3 or 4 which are mostly crypto exchanges, but that's not the point really. A lot of emails use SMS confirmation to change the password to the email. So for example say you have an email "blank@blank.com", and somebody finds out your email. If they sim swap you they could go to your email and click "reset password" then do the confirmation through 2FA to prove it's really that person and thus change the password stealing their email. And then that email along with the SMS is used to confirm password changes to MANY other accounts. This isn't something that's theoretical either, thousands every day are victims of this scam. A lot of sites are upgrading to Google Authenticator or Authy style authentication to avoid this exact issue, but there are still a huge amount of websites that haven't switched over.

Congrats on that!

Unfortunately it's not a field I'm an expert in, ADSL is super old technology designed around copper phone lines and it somewhat predates my tech experience to be honest, so I cannot answer properly. As far as modern modem's they don't require a password if you're hooked in direct-line typically, though a large number of companies have a setup that does require login. I'm sure before it's sent out to the network switches there is some type of encryption to prevent unauthorized access of a server or network from a dangerous third party machine. I've been to offices that disconnect or solder every eth port shut to prevent unauthorized access within their office spaces. I hope you find an answer online for exactly what you're looking for. As far as SIM cards you typically get 1 per device, though there is no technical reason you can't purchase multiple, but instantiating it on a network is a different story, and not nearly as simple.

Yup. It was EVERYWHERE. Basically if somebody/something calls me I hang up, if I need something I'll call them. I have a strict "no unsolicited calls" belief.

Well it's not exactly SIM cloning, but the idea is similar. Either way, yes, it's absolutely possible and is done every day. Cloning is actually technically possible too, just a lot more sophisticated because you need a type of network net to catch and redirect the initial ping or whatever, I'm no expert there though so I'm the wrong person to ask about that.

The sim lock pin only protects the physical card in your phone. It prevents somebody from removing your card during theft and using it to verify data. But if somebody activates a new card via the provider in your name then the sim lock pin won't protect you. That's one of the big issues with 2FA through phone numbers, there are not a huge amount of ways to protect yourself. There are some services providing third party verification for tel providers that protect you from sim swaps, you'll have to search for those specifically if you're looking for enhanced security. Many celebrities use those special third party providers to protect them to prevent identity theft.

I'd need to know more context. If you were sim swapped you'd know it right away. From what it sounds like he probably installed ghost software on her phone to track her texts and calls back when they were together. You can install silent unseen software on somebody's phone that they don't know is even on it. I would tell your girlfriend to manually backup her photos and important documents on her phone, anything she needs to keep, then completely factory default reset the phone. That should wipe out any software he installed. Otherwise he's just hacking into her iCloud and reading her messages because he has her password or 2FA. So also tell her to change all her main passwords, such as her email, iCloud, phone, etc.

Thank you! Thanks for watching and commenting.

I'm not sure, it sounds like a scam. I have to know more context to really give a good answer with any such understanding.

I got rid of all that stuff years ago as well, I have a disdain for social media these days. Good for you for doing it though, your life will be better off without it.

@@JoshChristiane the Instagram has alot of work out tips and for cooking since alot of people are using it to post ingredients.

Yeah they still have their use. In the past I've had private profiles that I didn't use for posting but just for viewing friends content as well.

Thanks for the view haha :)

I'm not sure, probably a lot of bad things. Just don't trust anybody, especially those who call you first.

Still puts people at risk for identity fraud/theft, but it's definitely safer that way.

I'm sorry to hear that! It does happen sometimes... I hope you get all of your accounts back promptly without any losses.

Haha yeah, it's on almost everything now. It's sort of a double-edged sword, but it is better than nothing I suppose. I really prefer Google Authenticator. I wish more websites and apps used that standard, because it's so much safer.

Well I hope that prevents anybody from messing with you at least, that's certainly one way to solve the problem.

Lo siento que no hablo español. ¡Gracias por dejar un comentario! :)

VERY good question. UA-cam is absolutely flooded with bots the last month or so, idky. And sometimes it's not as easy as I expect figuring out who's a bot and who's not. It's usually obvious but a few times I thought it was obvious and they were real people, so I don't want to block anybody real by mistake. Very annoying and confusing.

@@JoshChristiane Must be annoying for u aswell cos it screws up your analytics im asuming

It haven't even checked to be honest, lol. My channel isn't big enough for analytics to matter anyways, so I don't care too much what that says, as long as I can help somebody somewhere that's what matters to me.

It's not me, somebody else did it. But yes, I am aware. Spam has become a major issue on UA-cam.

@@JoshChristiane wow THX for the answer.

Yeah I do wish UA-cam did a naturally better job filtering, but it's impossible for me to see what is a bot or a real person for the most part. So I just give everybody the benefit of the doubt.

@@JoshChristiane Sorry why you don't do other yt videos?(The videos are so cool)

I'd love to do more soon, I've just gotten too busy with work for the most part.

I'm very glad it didn't happen to you!

What network and country are you on or in? I wish I could give you some advice to help, that sounds horrible! I'm sorry people have tried to do that to you. :(

Have you secured any of your accounts or it's all gone? First step is to call your cell provider and let them know what happened. Get your accounts and number temporarily locked down. Second step will be to start contacting Google or any services you use via email. Secure your email, change all the passwords. Try to secure access to any point of entry if possible.

@@JoshChristiane thats a lot i conjtated my provider they said there were no e sims or sim

I think that means you're safe. E-sims would be your biggest concern, if you don't have that then you're fine.

@@JoshChristiane i talked to the guy that is getting into my accounts and he said he e sim swapped

At that point the best thing you can do is just try to recover your accounts and shut that phone number down, changing all of your 2FA accounts promptly. If he already did it then there is nothing you can do to protective yourself, it's like trying to avoid a mugging after you've been mugged. The best thing you can do now is focus on recovery and just go with steps from there.

Not exactly. 2 Factor Authentication is generally used to reset passwords, so you wouldn't need to know the password. Just click on "I forgot my password" and most banks will redirect you to a page where you can use your 2FA to reset it and gain access. Your personal bank may require 2FA along with security questions that a hacker most likely cannot answer, and perhaps even have bank fund lock operations after any password changes, however many international banks around the world do not have those safety protocols. And if we are talking about crypto or exchange funds then many don't have any protections at all past basic phone 2FA. An 18 character password is great for the sake of safety, but it does not protect you from every hack. If you visit the wrong website and have malware, bad browser extensions, or some root kit / virus on your machine it can key-log your password. Meaning somebody from another country can see your password as you type it, and then gain access to your banking information. Wires are mostly non-reversible so if something like that were to happen you could lose significant wealth. Many think "that's impossible" or "that will never happen", but it literally happens to thousands of people every single day. This is a serious topic that many people do not have reverence for until they lose everything.

Agreed.

Unfortunately, yes it does. Because it's not the actual sim itself that is the issue, it's the network referencing it. The sim is often seen as this physical "boundary" to keep you safe, but it's not magic and that's just marketing. A network still has to contact that sim for verification and if you were to 'deactivate' a sim or swap the reference onto another then it would be business as usual.

Wow, thank you! I appreciate the kind comments. I only have a small following and that's okay with me :).

@@JoshChristiane lol worry for the bad spelling before haha I didn't notice I missed like 5 words lmao

It's no problem, I know what you meant and that's what matters.