SMS & SIM Security: How SIM-Swap Attacks Work

In January 2024, the SEC's official X (Twitter) account was hijacked. A fake post about Bitcoin ETF approval moved markets by billions of dollars. The attack vector? A SIM swap — the attacker convinced a carrier to transfer the SEC's phone number to their SIM card, then used it to reset the account password.

Your phone number is not just a way to reach you. It's a skeleton key to your email, bank accounts, crypto wallets, and social media. And it's shockingly easy to steal.

How SIM-Swap Attacks Work

A SIM-swap attack is a form of identity theft where an attacker takes over your phone number. Here's the process:

Step 1: Gather Personal Information

The attacker collects your personal details — name, address, date of birth, last four digits of your SSN — from data breaches, social media, or data broker sites. This information is often enough to pass carrier security questions.

Step 2: Contact the Carrier

The attacker calls your mobile carrier (or visits a store) and impersonates you. They claim they lost their phone or need a new SIM card. Using the gathered personal information, they pass identity verification.

Step 3: Take Over the Number

The carrier transfers your number to the attacker's SIM card. Instantly, you lose service. The attacker now receives all your calls and text messages — including SMS verification codes.

From here, the attacker resets passwords for your email, banking, and crypto accounts using SMS-based password recovery. The entire process takes under 30 minutes.

SMS Interception Methods

SIM swapping isn't the only way to compromise SMS. Attackers have multiple tools:

SS7 Protocol Exploitation

SS7 (Signaling System 7) is the protocol that connects phone networks globally. It was designed in 1975 with zero security. Attackers who gain access to the SS7 network (often through corrupt telecom employees or by purchasing access) can:

• Intercept SMS messages in real-time
• Track phone locations globally
• Redirect calls to different numbers

In 2017, criminals used SS7 attacks to drain German bank accounts by intercepting SMS 2FA codes. This is not theoretical — it's happening at scale.

Malware on Your Phone

Mobile malware can read incoming SMS messages directly from your phone. Some variants:

• Request SMS permissions during installation
• Overlay fake screens on banking apps
• Forward messages silently to the attacker

Fake Base Stations (IMSI Catchers)

Devices like Stingrays impersonate cell towers, forcing nearby phones to connect. Once connected, the attacker can intercept calls and SMS messages. These devices cost as little as $1,000 and can be built with open-source software.

Why SMS 2FA Is Not Secure Enough

Many services still default to SMS for two-factor authentication. Here's why this is dangerous:

• SMS is not encrypted — messages travel in plaintext across the carrier network
• SIM swaps are easy — carriers have been sued for negligence in swap attacks
• SS7 is broken — and cannot be fixed without replacing the entire global telephony infrastructure
• Recovery codes go to SMS — even if you use an authenticator app, account recovery often falls back to SMS

NIST (the U.S. National Institute of Standards and Technology) has recommended against SMS-based authentication since 2016. Yet most banks still offer only SMS.

The alternative? Authenticator apps (Google Authenticator, Authy) or hardware security keys (YubiKey). Read our complete 2FA guide for setup instructions.

Real-World SIM-Swap Cases

SEC Twitter Hack (2024)

The U.S. Securities and Exchange Commission's X account was hijacked via SIM swap. A fake Bitcoin ETF approval post was published, causing massive market volatility.

$400M Crypto Theft (2023)

A coordinated SIM-swap attack targeted crypto investors, draining wallets protected by SMS 2FA. The FBI arrested the ring, but most funds were not recovered.

Jack Dorsey's Twitter (2019)

Twitter's own CEO had his account hijacked through a SIM swap. If the CEO of a tech company isn't safe, no one is.

How to Protect Yourself

1. Set a PIN on Your Carrier Account

Call your carrier and set a PIN or passcode that must be provided for any account changes. This is the single most important step:

• T-Mobile: Account PIN in settings
• AT&T: Extra Security passcode
• Verizon: Account PIN
• Most carriers: Call customer service to request a security PIN

2. Switch to Authenticator Apps

Replace SMS 2FA with an authenticator app everywhere possible. Codes are generated on your device and never travel over the network.

Recommended apps: Google Authenticator, Authy (has cloud backup), Microsoft Authenticator. For maximum security, use a YubiKey hardware key.

3. Enable Number Lock / Port Freeze

Most carriers offer a feature that prevents your number from being ported without in-person verification with government ID. Enable it now.

4. Use a Separate Number for Financial Accounts

Consider using a Google Voice number or a secondary prepaid SIM exclusively for banking and financial services. Don't share this number publicly.

5. Remove Your Number from Public Profiles

Your phone number on social media makes social engineering easier. Remove it from public profiles, and opt out of data broker sites like Whitepages, Spokeo, and BeenVerified.

6. Monitor for Signs of a SIM Swap

If you experience any of these, act immediately:

• Sudden loss of cell signal
• "SIM not provisioned" or "No service" messages
• Unexpected carrier emails about account changes
• Unable to make calls or send texts

If this happens: Call your carrier from another phone immediately. Then change passwords for your email and secure your accounts.

Related Tools

• Password Generator — strong passwords remain your best defense when SMS fails
• 2FA Guide — switch from SMS to secure authentication
• Email Recovery Guide — what to do when accounts are compromised