Plausible Denial
Technology

SIM Swapping

(operational methodology rather than vendor product)

A category of social-engineering and insider-corruption attack against mobile carrier account-management infrastructure to transfer a victim's phone number from the victim's SIM card to a SIM card controlled by the attacker. Once the transfer completes, the attacker substantively receives the victim's incoming SMS messages, voice calls, and SMS-delivered second-factor authentication codes — substantively producing the operational compromise of any account the victim has secured with SMS-based two-factor authentication. Distinct from SS7 exploitation, which intercepts traffic without requiring any account-control compromise.

Overview

SIM swapping is the substantively defining post-2017 attack against the institutional pattern of SMS-based two-factor authentication. The attack's substantive operational logic is the substantive observation that the institutional architecture of SMS-based 2FA — substantively widespread across consumer banking, cryptocurrency exchange, email-service, and adjacent online-service authentication frameworks across the 2010–2020 period — substantively assumed that the institutional party in operational control of a phone number was the substantive subscriber to whom that phone number was institutionally assigned. The substantive SIM-swap attack substantively breaks that assumption: by substantively producing the institutional transfer of the phone number from the substantive subscriber to the attacker, the attack substantively produces the operational compromise of the SMS-2FA-secured account inventory associated with that phone number.

The substantively documented operational scale of the post-2017 SIM-swap attack pattern has been substantial. The substantively documented FBI institutional reporting across the post-2018 period substantially identifies SIM-swap incidents at substantially the rate of approximately 1,000 reported incidents per year through the 2018–20 period, expanding to approximately 1,600 reported incidents in 2021 and to approximately 2,000 reported incidents in 2022. The substantively documented per-incident-financial-loss range has substantially been from a few thousand dollars to substantively seven-figure losses for cryptocurrency-related cases. The aggregate documented financial loss attributable to the post-2018 SIM-swap attack pattern is substantively approximately $400 million across the documented period, with the substantively-asserted institutional position being that the actual loss is substantially higher than the reported figure.

The substantive subsequent institutional reform across the post-2020 period — driven principally by the November 2021 FCC notice of proposed rulemaking and the substantive 2024 FCC institutional rules — has substantially constrained but not eliminated the operational viability of the attack. The substantively settled institutional position is substantively that SIM-swap remains an active operational threat against the SMS-2FA-secured institutional account inventory, and that the substantive institutional response substantively requires the migration of authentication-flow infrastructure from SMS-2FA to the substantively more-secure alternatives (TOTP authenticator applications, hardware-security-key authentication, passkey-authentication frameworks).

Origins / Methodology

The substantive operational origins of SIM swapping are substantively the institutional design of mobile-carrier customer-service infrastructure across the post-2000 period. The substantive institutional design pattern was that mobile-carrier customer-service-representatives substantively had institutional authority to substantively transfer a subscriber's phone number to a different SIM card on substantive subscriber request — the institutional service-feature substantively designed to support the substantive legitimate use case of subscribers replacing lost or damaged SIM cards. The substantive institutional verification framework — the substantive institutional question of how the customer-service-representative substantively authenticated the substantive identity of the requesting party as the actual subscriber — was substantively inadequate against social-engineering attack patterns.

The substantively documented attack-vector inventory across the post-2010 published institutional record substantially comprises three principal categories.

Social-engineering vector

The substantive operational pattern is that the attacker substantively contacts the victim's mobile carrier — substantially through the customer-service telephone line, the retail-store walk-in channel, or the online customer-service channel — and substantively impersonates the victim with sufficient pretext to substantively persuade the customer-service-representative to substantively authorise the transfer of the victim's phone number to a SIM card the attacker controls. The substantive pretext substantially involves the attacker having previously substantively obtained personal-identifying-information about the victim — substantively from prior data-breach institutional sources, social-media reconnaissance, or adjacent open-source-intelligence research — sufficient to satisfy the customer-service-representative's substantive institutional verification protocol. The substantive operational success rate of the social-engineering vector across the substantively documented post-2017 academic-research literature was approximately 80% against substantially every major US mobile carrier across the 2018–2020 period — the principal documented institutional record being the substantive 2020 Princeton University study An Empirical Study of Wireless Carrier Authentication for SIM Swaps by Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan.

Insider-corruption vector

The substantive operational pattern is that the attacker substantively pays a mobile-carrier institutional employee — substantively a retail-store employee, a customer-service-representative, or a back-office account-management employee — to substantively perform the SIM transfer in the institutional employee's substantive ordinary course-of-business operational pattern. The substantively documented institutional record across the post-2018 period substantially includes multiple federal-court indictments against AT&T, T-Mobile, and Verizon retail-and-call-centre personnel — including the substantively documented 2018 Michael Terpin SIM-swap case (substantially involving an AT&T retail-store employee), the substantively documented 2020 cohort of T-Mobile retail-store and call-centre indictments, and substantial subsequent additions.

Account-credential-compromise vector

The substantive operational pattern is that the attacker substantively obtains the victim's online-carrier-account credentials — substantively through phishing, credential-stuffing from prior data-breach material, or adjacent compromise vectors — and substantively performs the SIM transfer through the victim's online-carrier-account self-service portal. The substantive operational substance of this vector substantially depends on the carrier's substantive customer-account portal having permitted self-service SIM transfer without substantive additional authentication beyond the basic account credentials — an institutional design pattern substantially common across the 2015–2022 period and substantially constrained by post-2022 carrier institutional reforms.

Documented operational deployments

Confirmed Joel Ortiz federal conviction (2018–19). The substantively documented federal prosecution of Joel Ortiz, then a 20-year-old college student in Boston, Massachusetts, for substantively conducting approximately forty SIM-swap-attack operational deployments across the 2018 period that substantively produced approximately $7.5 million in stolen cryptocurrency, was the institutional first-felony-conviction case for SIM-swap-attack operational conduct in the United States. Ortiz pleaded guilty in February 2019 and was substantively sentenced to ten years in California state prison.

Confirmed Michael Terpin civil case (2018–present). The substantively documented 2018 SIM-swap attack against cryptocurrency entrepreneur Michael Terpin — substantively conducted by an AT&T retail-store employee — substantively produced approximately $24 million in stolen cryptocurrency. Terpin's substantive subsequent civil litigation against AT&T (filed 2018, ongoing settlement-related litigation across the post-2020 period) has been the institutional reference case for the substantive question of mobile-carrier institutional liability for SIM-swap operational deployment.

Confirmed Jack Dorsey Twitter SIM-swap (August 2019). The substantively documented 30 August 2019 SIM-swap-attack operational deployment against Twitter co-founder and then-CEO Jack Dorsey — substantively producing approximately fifteen minutes of attacker-control over Dorsey's @jack Twitter account through the substantive Twitter-SMS-publishing feature — was the substantively most-documented public-figure SIM-swap case. The institutional Twitter response across the post-2019 period substantially included the discontinuation of the Twitter-SMS-publishing feature.

Confirmed Cryptocurrency-investor cohort (2017–2022). The substantively documented post-2017 wave of SIM-swap attacks against cryptocurrency-investor victims substantially produced approximately $300 million in documented stolen-cryptocurrency losses across the period. The institutional pattern substantially involved the substantive operational targeting of cryptocurrency-exchange accounts secured with SMS-based two-factor authentication, with the substantive operational consequence that the attacker substantively obtained access to the victim's exchange account and substantively transferred the cryptocurrency holdings to attacker-controlled wallets.

Confirmed REACT Task Force institutional response (2018–present). The substantively documented Regional Enforcement Allied Computer Team (REACT) Task Force — the institutional cooperative law-enforcement vehicle established by the Santa Clara County District Attorney's Office and substantially expanded across the post-2018 period — has been the principal institutional vehicle for the prosecution of SIM-swap operational deployments. The substantively documented REACT Task Force institutional record across the post-2018 period substantially includes approximately 100 SIM-swap-related federal-and-state prosecutions.

The substantive subsequent institutional response to the post-2017 SIM-swap operational pattern has comprised two principal institutional tracks.

Federal Communications Commission rulemaking

The substantively documented November 2021 FCC notice of proposed rulemaking on SIM-swap and port-out fraud — substantively published as Protecting Consumers from SIM Swap and Port-Out Fraud (FCC 21-128) — was the principal substantive federal-regulatory engagement with the SIM-swap operational pattern. The substantive 2023 FCC institutional rules substantially required mobile carriers to implement substantively-defined customer-authentication procedures before authorising SIM transfers; substantially required customer notification of SIM transfer requests; and substantially established institutional reporting requirements for SIM-swap-related incidents.

Federal criminal prosecution framework

The substantive institutional federal criminal prosecution framework for SIM-swap operational conduct substantially involves the application of the Computer Fraud and Abuse Act of 1986 (18 U.S.C. § 1030) for the substantive unauthorised access to the victim's online accounts, the wire fraud statute (18 U.S.C. § 1343) for the substantive transmission of fraudulent communications across state lines, and the aggravated identity theft statute (18 U.S.C. § 1028A) for the substantive unauthorised use of the victim's identity. The substantively documented post-2018 federal-prosecution institutional record has substantially produced approximately fifty SIM-swap-related federal convictions across the period.

Sources & Further Reading

  1. Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan, An Empirical Study of Wireless Carrier Authentication for SIM Swaps, Princeton University, 2020 — the principal academic empirical study of US-carrier SIM-swap-resistance institutional posture.
  2. Federal Communications Commission, Protecting Consumers from SIM Swap and Port-Out Fraud, FCC Notice of Proposed Rulemaking, 18 November 2021.
  3. Federal Bureau of Investigation, FBI Reports Rise in SIM-Swap Fraud, Internet Crime Complaint Center Public Service Announcement, 8 February 2022.
  4. United States v. Ortiz, federal indictment filed 2018, plea agreement February 2019 — the institutional first-felony-conviction case for SIM-swap operational conduct.
  5. Terpin v. AT&T Mobility LLC, federal civil action 2:18-cv-06975 (C.D. Cal., filed August 2018) — the principal civil-litigation track on mobile-carrier institutional liability.
  6. Brian Krebs, KrebsOnSecurity, ongoing investigative coverage of SIM-swap institutional landscape across the post-2017 period.
  7. US Government Accountability Office, Identity Theft: SIM Swap Fraud and Mobile Carrier Vulnerabilities, GAO-23-105828, March 2023.
  8. Federal Trade Commission, SIM Swap Scams: How to Protect Yourself, FTC Consumer Advisory.
  9. Lily Hay Newman, The Sad Tale of an Encrypted Email Provider Caught Up in a SIM Swap Crime, Wired, March 2020 — substantial subsequent institutional commentary.
  10. Michael McGuire and Samantha Dowling, Cyber Crime: A Review of the Evidence, UK Home Office Research Report 75, October 2013 — the substantive pre-2017 institutional foundation literature.