Everyone's talking about SIM swapping attacks, and what to do if it happens to you. The narrative is simple: the criminal motive is cryptocurrency theft, and mobile carriers' weak safeguards against social engineering is an attractive criminal opportunity. If you're a target, your phone number (and all the accounts it's tied to) will be taken.
SIM swapping is not a new threat, as more than USD 50 million has been reportedely stolen from over 800 individuals since 2018, but a new wave of coordinated attacks targets U.S. cryptocurrency holders.
The narrative works because it absolves all parties from the burden of responsibility. If you're a victim of a SIM swapping attack, hey, it's not your fault, these things just happen. But the narrative is a lie; criminal intent is merely the symptom of a system based on the lie that your phone number is necessary to verify your identity. The system is broken.
Identity / IRL
When guns are outlawed, only outlaws will carry guns.
Thanks to regulatory capture, the internet is wrong. Hackers enjoy anonymity, bots mask their origin, spammers use throwaway email addresses. The rest of us are threatened by stalkers, violent ex partners, and live in countries where speech isn't free. We could be doxxed or swatted or worse.
Account registrations require valid email addresses. Dating and social media websites want your full name. Your email provider, your streaming media services, that stupid little keychain barcode for discounts at the supermarket - they all need to verify your phone number. SMS 2FA is fundamentally broken, but every major bank relies on it as a source of truth.
None of this information is relevant to the services provided. LinkedIn doesn't need to know your phone number and OkCupid doesn't need your full name. But like an interrogator, they squeeze you for more and more information because they can sell it for a profit. That's the real reason SIM swapping attacks happen. We've allowed corporate greed to own our identity.
Published August 30, 2019 by Ethan F Grant