It happened on the second to last day of a wonderful family trip to Southeast Asia. I looked at my mobile phone in the morning and it had an alert that said something like “SIM not recognized.” I should have probably figured out something was remiss right then, but instead I simply assumed that my phone had tried to register on an unsupported network. As I was sitting down for breakfast suddenly 3 emails arrived in rapid succession that made me realize I was being hacked (time order is from bottom to top):
Argh! Clearly someone had gotten my SMS messages to go to them instead and used it to hack my old yahoo email account. They quickly changed the password to lock me out and removed my alternate email.
From there I figured their next stop would be Twitter. That’s one of the few services where I used that email address. I ran back to my hotel room and tried to change my email address on my logged in Twitter account. Alas I was too late. The attacker already had reset the password and I was logged out.
The attacker then made a single tweet (as I later discovered also one rude reply) and pinned it:
Immediately people started remarking that this didn’t sound at all like me and that I had probably been hacked. Several people also texted me, but obviously those texts went to the attacker’s phone!
Thankfully the team at USV immediately jumped into action. They replied to the tweet and others who were quoting it that my account had been hacked. They helped me contact Twitter and have my account suspended and the tweet removed (which happened quite quickly but seemed like an eternity to me). In the meantime I got on the phone with T-Mobile to regain control of my phone.
I let T-Mobile know that someone had gotten into my account. They pretty quickly established that there had been a transfer of the SIM to a different SIM. I asked somewhat irately how that was possible given that I had a password on the account. I was told that someone had shown up at a T-Mobile store as me and presented a valid ID. I was able to convince the rep that this had not been me. Thankfully they could see that I was calling from Thailand and I was able to answer all the security questions and able to produce the number off the SIM card actually in my phone. From there it only took a few minutes to have the SIM switched back.
With the phone number once again in my control what remained was getting my Twitter and Yahoo accounts back. Thankfully I was able to get great connections to support at both companies and they got this done in record time.
What are the takeaways? First, my accounts that were protected with Google Authenticator were safe (the attacker did try to go after these but without success). Second, someone went to fairly great lengths to get the SIM on my phone switched. This is all the more surprising given the fairly obvious tweet they sent.
So: SMS based 2FA is vulnerable (which is well known) if someone either ports your number outright or, more likely, can switch your SIM. I am pretty sure that T-Mobile will not switch my SIM again. Nonetheless, wherever possible I will now make sure to use a different second factor.
