Going by the fact that, today, Twitter has suspended the ability to Tweet via SMS, it now seems highly likely that earlier reports that Twitter CEO, Jack Dorsey, fell victim to a SIM-swap scam were accurate.
We don’t yet know the full facts, but it looks like his mobile phone network provider was duped into transferring his cellphone number onto a different SIM card – the practice of so-called “SIM-swapping”. Once transferred, whoever requested the SIM-swap had, at the very least, access to all the CEO’s SMS messages. With that, if Jack had enabled 2FA via SMS for logging-into his Twitter account (which is the default 2FA setting still), then if someone knew his username and password, they could bypass that extra level of 2FA security via text. Had 2FA have been set up via a separate authenticator app, that could not have happened.
Alternatively, and maybe this morning’s news from Twitter confirms it, having effectively gained control of “his” cellphone via a SIM-swap, perhaps the hacker simply started tweeting via SMS. That would be the most straightforward explanation, regardless of the fact that unauthorised SIM-swapping should never happen in the first place.
So what can we, and Jack, do differently to stop something like this happening?
Thankfully there are things we can do to prevent ourselves falling victim to a SIM-swap scam.
Unfortunately though, if your mobile network provider has weak training practices or governance procedures, there’s nothing we can do as individuals to stop our numbers being swapped to a different SIM without our knowledge.
The damage that swap might do, though, is very much down to us.
What we can do becomes a matter of focusing on what is generally good online practice in any case:
– Use unique and strong passwords for every single online account you have. That way, even if you are hacked in one account, say an online store, there is no way that hack could let the criminal into e.g. your Twitter account.
– Set up an account PIN with your mobile network provider. That way, even if someone trying to swap your SIM away from you manages to get through the personal identification checks your provider will carry out, they should not allow anything to happen without the correct PIN.
– Wherever there is the option, always use 2/multi-factor authentication(2FA/MFA). If offered, using an app on your phone to generate the code is slightly more secure than receiving it via SMS, just in case you become the victim of a SIM-swap yourself.
– Stay vigilant against phishing emails and other messages that contain links or requests to log-in to a site. Once they have your phone number under their control, criminals will try and replicate as much of “you” as possible either to use it themselves, or sell your profile on the dark web.