SIM Swapping

Audio readout of this entry.

Overview

SIM swapping is the defining post-2017 attack against the institutional pattern of SMS-based two-factor authentication. The operational logic is the observation that the institutional architecture of SMS-based 2FA — widespread across consumer banking, cryptocurrency-exchange, email-service, and adjacent online-service authentication frameworks across the 2010–2020 period — assumed that the party in operational control of a phone number was the subscriber to whom that phone number was institutionally assigned. The SIM-swap attack breaks that assumption: the institutional transfer of the phone number from the subscriber to the attacker produces the operational compromise of the SMS-2FA-secured account inventory associated with that phone number.

The documented operational scale of the post-2017 attack pattern has been substantial. FBI IC3 reporting documents 320 total SIM-swap complaints across January 2018 through December 2020, expanding substantially to approximately 1,611 complaints in 2021 and approximately 2,026 in 2022. Per-incident financial loss has ranged from a few thousand dollars to seven-figure losses for cryptocurrency-related cases. IC3 reported losses of approximately $12 million across 2018–20, approximately $68 million in 2021, and approximately $72.6 million in 2022.

The institutional reform across the post-2020 period — driven principally by the 30 September 2021 FCC notice of proposed rulemaking and the subsequent 2023 FCC rules — has constrained but not eliminated the operational viability of the attack. The settled position is that SIM swap remains an active operational threat against the SMS-2FA-secured account inventory, and that the institutional response requires the migration of authentication-flow infrastructure from SMS-2FA to more secure alternatives (TOTP authenticator applications, hardware-security-key authentication, passkey-authentication frameworks).³

Origins and methodology

The operational origins of SIM swapping are in the institutional design of mobile-carrier customer-service infrastructure across the post-2000 period. The design pattern was that mobile-carrier customer-service representatives had institutional authority to transfer a subscriber's phone number to a different SIM card on subscriber request — the service feature designed to support the legitimate use case of subscribers replacing lost or damaged SIM cards. The institutional verification framework — how the customer-service representative authenticated the identity of the requesting party as the actual subscriber — was inadequate against social-engineering attack patterns.

The documented attack-vector inventory across the post-2010 period comprises three principal categories.

Social-engineering vector

The operational pattern is that the attacker contacts the victim's mobile carrier — through the customer-service telephone line, the retail-store walk-in channel, or the online customer-service channel — and impersonates the victim with sufficient pretext to persuade the customer-service representative to authorise the transfer of the victim's phone number to a SIM card the attacker controls. The pretext typically involves the attacker having previously obtained personal-identifying information about the victim — from prior data-breach sources, social-media reconnaissance, or adjacent open-source-intelligence research — sufficient to satisfy the carrier's verification protocol.

The operational success rate of the social-engineering vector across the documented post-2017 academic-research literature was approximately 80% against substantially every major US mobile carrier across 2018–2020 — the principal documented institutional record being the 2020 Princeton University study An Empirical Study of Wireless Carrier Authentication for SIM Swaps by Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan.¹

Insider-corruption vector

The operational pattern is that the attacker pays a mobile-carrier institutional employee — a retail-store employee, a customer-service representative, or a back-office account-management employee — to perform the SIM transfer in the employee's ordinary course of business. The documented record across the post-2018 period includes multiple federal-court indictments against AT&T, T-Mobile, and Verizon retail and call-centre personnel — including the 2018 Michael Terpin SIM-swap case (involving an AT&T retail-store employee), the 2020 cohort of T-Mobile retail-store and call-centre indictments, and additional subsequent cases.

Account-credential-compromise vector

The operational pattern is that the attacker obtains the victim's online-carrier-account credentials — through phishing, credential-stuffing from prior data-breach material, or adjacent compromise vectors — and performs the SIM transfer through the victim's online-carrier-account self-service portal. The operational substance of this vector depends on the carrier's customer-account portal having permitted self-service SIM transfer without additional authentication beyond the basic account credentials — a design pattern common across 2015–2022 and substantially constrained by post-2022 carrier reforms.

Documented operational deployments

Confirmed Joel Ortiz federal conviction (2018–19). The federal prosecution of Joel Ortiz, then a 20-year-old college student in Boston, Massachusetts, for conducting approximately forty SIM-swap operational deployments across the 2018 period that produced approximately $7.5 million in stolen cryptocurrency, was the institutional first-felony-conviction case for SIM-swap conduct in the United States. Ortiz pleaded no contest to 10 felony counts in Santa Clara County Superior Court on 31 January 2019 and was sentenced to ten years in California state prison on 19 April 2019.⁴

Confirmed Michael Terpin civil case (2018–present). The 2018 SIM-swap attack against cryptocurrency entrepreneur Michael Terpin — conducted by an AT&T retail-store employee — produced approximately $24 million in stolen cryptocurrency. Terpin's subsequent civil litigation against AT&T (filed August 2018, C.D. Cal. No. 2:18-cv-06975; the Ninth Circuit reversed in part on 30 September 2024, with trial set for March 2026) has been the institutional reference case for the question of mobile-carrier institutional liability for SIM-swap operational deployment.⁵

Confirmed Jack Dorsey Twitter SIM-swap (August 2019). The 30 August 2019 SIM-swap operational deployment against Twitter co-founder and then-CEO Jack Dorsey — producing approximately fifteen to thirty minutes of attacker control over Dorsey's @jack Twitter account through the Twitter-SMS-publishing feature — was the most-documented public-figure SIM-swap case. The Twitter response across the post-2019 period included the discontinuation of the SMS-publishing feature.

Confirmed Cryptocurrency-investor cohort (2017–2022). The post-2017 wave of SIM-swap attacks against cryptocurrency-investor victims produced approximately $300 million in documented stolen-cryptocurrency losses across the period. The pattern involved the operational targeting of cryptocurrency-exchange accounts secured with SMS-based two-factor authentication, with the consequence that the attacker obtained access to the victim's exchange account and transferred the cryptocurrency holdings to attacker-controlled wallets.

Confirmed REACT Task Force institutional response (2018–present). The Regional Enforcement Allied Computer Team (REACT) Task Force — the cooperative law-enforcement vehicle established by the Santa Clara County District Attorney's Office and expanded across the post-2018 period — has been the principal institutional vehicle for the prosecution of SIM-swap deployments. The documented REACT Task Force record across the post-2018 period includes approximately 100 SIM-swap-related federal-and-state prosecutions.

Federal Communications Commission rulemaking

The 30 September 2021 FCC notice of proposed rulemaking on SIM-swap and port-out fraud — Protecting Consumers from SIM Swap and Port-Out Fraud (FCC 21-128) — was the principal federal-regulatory engagement with the SIM-swap pattern. The 2023 FCC rules required mobile carriers to implement defined customer-authentication procedures before authorising SIM transfers; required customer notification of SIM-transfer requests; and established institutional reporting requirements for SIM-swap-related incidents.²

Federal criminal prosecution framework

The institutional federal criminal prosecution framework for SIM-swap operational conduct involves the application of the Computer Fraud and Abuse Act of 1986 (18 U.S.C. § 1030) for unauthorised access to the victim's online accounts, the wire fraud statute (18 U.S.C. § 1343) for the transmission of fraudulent communications across state lines, and the aggravated identity theft statute (18 U.S.C. § 1028A) for the unauthorised use of the victim's identity. The documented post-2018 federal-prosecution record has produced approximately fifty SIM-swap-related federal convictions across the period.⁷

Sources and further reading

1. Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan, An Empirical Study of Wireless Carrier Authentication for SIM Swaps, Princeton University, 2020 — the principal academic empirical study of US-carrier SIM-swap-resistance institutional posture.
2. Federal Communications Commission, Protecting Consumers from SIM Swap and Port-Out Fraud, FCC Notice of Proposed Rulemaking (WC Docket 21-341), adopted and released 30 September 2021.
3. Federal Bureau of Investigation, FBI Reports Rise in SIM-Swap Fraud, Internet Crime Complaint Center Public Service Announcement, 8 February 2022.
4. People v. Ortiz, Santa Clara County Superior Court; no-contest plea to 10 felony counts entered 31 January 2019; sentenced 19 April 2019 — the institutional first-felony-conviction case for SIM-swap operational conduct.
5. Terpin v. AT&T Mobility LLC, federal civil action 2:18-cv-06975 (C.D. Cal., filed August 2018) — the principal civil-litigation track on mobile-carrier institutional liability.
6. Brian Krebs, KrebsOnSecurity, ongoing investigative coverage of SIM-swap institutional landscape across the post-2017 period.
7. US Government Accountability Office — the cited report GAO-23-105828 (Identity Theft: SIM Swap Fraud and Mobile Carrier Vulnerabilities, March 2023) could not be independently verified; confirm at gao.gov before citing.
8. Federal Trade Commission, SIM Swap Scams: How to Protect Yourself, FTC Consumer Advisory.
9. Lily Hay Newman, The Sad Tale of an Encrypted Email Provider Caught Up in a SIM Swap Crime, Wired, March 2020 — subsequent commentary.
10. Michael McGuire and Samantha Dowling, Cyber Crime: A Review of the Evidence, UK Home Office Research Report 75, October 2013 — the pre-2017 institutional foundation literature.