 Sim swapping attacks are one of the most vicious kinds of identity theft that regular everyday people might end up facing. What makes them so dangerous is the fact that they can be done remotely. The amount of access that sim swapping can give to hackers continues to grow every single day. And worst of all, sim swapping requires almost no technical skill on the hackers end. It's usually pulled off by just social engineering somebody that works at your telecom company, or in some cases, the hackers might actually have an inside man at the telecom company to help them pull off the sim swap. Now, usually the goal of sim swapping is to intercept the SMS verification and recovery codes for the online services that you use so that the hackers can ultimately take over those accounts. And if it just so happens to be an account for a financial service like a crypto or bank account, then of course the hackers are going to steal as much money as they can out of those accounts as well. Now part of the reason this is such a huge problem is because it's really difficult to even find an online service these days that doesn't require your phone number for signing up. Usually the phone number verification can help limit the number of accounts that spammers are able to create to make the platform itself better. And it might seem like a good way to be able to recover an account since people always have their phones on them. They might forget their passwords, but they're never going to forget their own phone numbers. But sending these one-time passwords and these recovery links over SMS is a really, really bad idea. Besides the sim swapping issue, SMS isn't encrypted, which means that anyone that's listening on the network could intercept those verification codes and those one-time passwords. Sim swapping is so easy to do and so lucrative that even young inexperienced black hats are able to make millions by doing it. One of the more recent sim swapping hackers to be caught is 19-year-old Noah Michael Urban, known by various hacker identities such as Sosa, Elijah, and King Bob. He was recently arrested in Florida for committing wire fraud and aggravated identity theft, which resulted in at least $800,000 being stolen from at least five different victims. And he is also believed to be a core member of the Scattered Spider hacking group that was responsible for hacking into Twilio's customer support console by harvesting employee credentials from a targeted phishing attack. This Twilio incident allowed the hackers to attack other services that leveraged Twilio like Signal Messenger, which used Twilio for their phone number verification service. And there were other supply chain attacks that were carried out by Scattered Spider against services like MailChimp that could have allowed the attackers to compromise accounts belonging to Digital Ocean or other similar services that utilized MailChimp for emails related to account info. And in addition to hacking crypto software and telecom companies, Noah also liked to use his sim swapping techniques to collect Grails, which are unreleased music tracks from popular artists. In particular, Noah liked to steal unreleased tracks from Lil Uzivert, Playboy Cardi, and Juice World. He even said that he had a dedicated folder to storing Grails that he had taken from these artists. And then he had a separate folder which just had a whole bunch of random unorganized Grails that he had stolen from other artists that I guess he didn't care as much about. So this should give you an idea of just how much access a sim swapping attack can grant you. Phone numbers are the default account recovery method for most online services these days, including bank accounts. And a victim's personal phone number is oftentimes really easy to discover online or through database leaks from other services that have gotten hacked in the past. People really don't change their phone numbers that often and people don't actually use their phone numbers directly that often. Now what I mean by that is most people when they're communicating they use third party apps like WhatsApp that don't actually require an active phone number or a SIM card to work. That's why when people travel internationally they'll oftentimes use WhatsApp to keep in touch with one another without having to pay those really high roaming or international charges. So when a hacker calls your mobile carrier to get them to switch your phone number into their SIM card that they control so that they can then intercept your calls, you won't be able to receive regular phone calls or text messages on your phone until you contact the carrier to restore your number. But things like Signal, WhatsApp, Facebook Messenger, all those third party messengers are going to keep working like nothing happened. So if a sim swap attack happens to you, it could honestly be a few days until you notice that something is fishy which makes this attack so much more dangerous. So what can you do to protect yourself from sim swapping? Well because these attacks have been so rampant most cellular carriers at this point give you the option to put a transfer pin on your account. So that means that your phone number cannot be transferred to a new SIM card without that pin. You'd have to give it to the customer service rep over the phone or if you're going into one of the stores to try to do this transfer, they're going to ask for the pin as well and they might even ask for your ID if you physically go to the store. But the numeric pin codes typically are not something that's very secure. Like people have this habit where they like to make pin codes things like their birth date or their favorite football players jersey. And those are numbers that you could probably figure out through open source intelligence just through scrolling through their social media post. A hacker could put that together with just a little bit of recon. And ultimately the weakest link to a sim swap is that customer service rep at the telecom who is probably paid a low wage and has very little security training themselves. So the risk of them being social engineered or even bribed to transfer out a phone number is just too high for some people to take that risk, which is why I recommend opting out of SMS account recovery options altogether and instead of using a code texted to your phone for two factor authentication use an authenticator app instead. These apps work by letting you scan a QR code that's generated by the account server for the online service that you want to secure. That QR code contains a secret algorithm that lets the authentication server and your authenticator app generate temporary one time passwords or TOTPs that are in sync with each other without them having any direct network connection. So you're able to get your two factor authentication code on your phone even when you don't have any wifi or cellular connection or anything like that. The TOTP code is never being sent over a network. So there's no way really for a hacker to intercept it. In fact, the only way a hacker could get your TOTP codes would be for them to get the algorithm from the QR code that you scanned when setting up your account. And then they would put that into their own authenticator app and then they could generate these codes and sync with you. But that QR code is typically only sent once when you're setting up your account and it's typically sent over an encrypted HTTPS connection. So you should definitely get yourself an authenticator app and switch your online accounts over to using it as your two factor authentication method. Now there's a lot of options out there for authenticator apps. Personally, I recommend Aegis Authenticator because it's free and open source. It lets you set a password on the app itself so someone can't just get to your secret codes by just stealing and unlocking your phone. And most importantly, it lets you create encrypted backups of your codes to a location of your choosing. So you can easily create three to one backups of your TOTP codes, which you should do because those codes are just as important as your passwords. So make sure you apply this knowledge and take the necessary steps to secure your accounts today. Like and share this video to spread the word to others. And if you want to support my work, consider shopping on my online store base.win where you can buy my merch and save 10% of checkout automatically when paying in Monero XMR. Have a great rest of your day.