SIM Swapping: they asked for a chip in his name and stole his phone line and his social network accounts

Rosario Lanusse is 46 years old. She is a social communicator, directs Tigris magazine, is a photographer, video editor. She and she also the protagonist of an intense day of confusion and despair. At 9:30 a.m. on October 26, her cell phone, her main work tool, lost a signal. Something that could be normal, but no: her data plan did not work, neither did her line. Her bill, on the other hand, was paid. A forced airplane mode. And inexplicable.

Tomorrow: no signal

"I changed the phone's chip and it didn't work on another phone either, I didn't understand anything," recalls Lanusse. But it was just the beginning of a difficult day. With a Wi-Fi connection, she could stay connected to the main services, the ones she uses the most. However, by noon the issue began to worsen: “Suddenly, WhatsApp closed for me and it told me that it was going to send me a code to my phone by SMS to enable it. But of course, I no longer had a line…”, she explains.

Noon: someone was talking on WhatsApp and it wasn't her

Until that moment, she did not know what was happening, until she began to imagine something possible: someone had activated her phone number in another chip. And the ordeal was already beginning: in the WhatsApp family groups that other person began to speak. "She pretended to be me and talked to my children," she recalls. "It was very ugly: it was me writing and it wasn't me," she recalled.

Later: she lost her Instagram account

Her Instagram account @rochilanu (more than 50 thousand followers), meanwhile, was still active, but not for long. It was not explained how: she has the second authentication factor activated, so if someone knew her password, they would also need a code that is sent by SMS to her cell phone (that is why it is called two-step authentication; in addition to the password, requires a temporary key). If they had the line in her power, they could receive that second key, but the password was missing. But Instagram has a window that the attackers took advantage of: you can reset the password for cases where the user forgot the password. In those cases, a code is sent by text message… to her line. Again the same: the number was in the hands of other people. And so they accessed her account.

They erased their online identity

“They had deleted my biography, they changed the region, they put the account in private mode. She had a stock with a mark, they deleted it, ”she explains. However, she found a clue: by mail, she received a notification that someone had entered her Instagram account. "Was it you?" Asked the automatic Instagram system. Then, she entered and gave him a "fight". She would change the password, recover the account for a while. But the criminals changed her password again with the aforementioned method. And so several times. "I defended myself by email and they went by cell phone," she recalls.

In the afternoon: denying herself

The fight lasted several hours. On WhatsApp, the person posing as her closed groups in which she was an administrator. She spoke in school parent chats. She said "bye love" to one of her children (the answer was an insult). Her relatives, of course, were already aware. They Yes. The rest of the people who know Rosario Lanusse, but who do not live with her or see her on a daily basis, no. “And on top of that I couldn't deny it. She was incommunicado.”

At 4:43 p.m.: “Do you want the bill or not?”

At 4:43 p.m., finally, she received a private message on Instagram that sounded like extortion: “Do you want the account or not?” She did not answer. Finally, after more than a day and a half of fighting with Movistar, she was able to buy another chip, regain control of her line and reestablish all services. But she lost statistics, chats and, above all, a lot of time. All private messages from her accounts were visible to that other person. She hadn't done anything and yet she entered a complex labyrinth from which it was difficult for her to get out. "If I wasn't around with the computer, I lost everything," she reflected. In fact, she only recovered her Facebook account a week later.

How could she happen to him?

What happened to Rosario Lanusse is known as SIM Swapping. The attackers manage to buy a chip with the line from her. When activated, they deactivate the previous SIM. They can access all her personal information and, above all, use that line captured in the verification through the cell phone that all social network accounts, WhatsApp or even banks usually request when operating through the Internet. With that verification via text message and having taken over the line, they have everything to prove they own that line and that online account. In the case of Lanusse, the ordeal could have been worse. Could they have accessed her home banking? Although Lanusse had double verification on Instagram (protection that was diluted by the possibility of logging in without knowing the password), on WhatsApp she did not have the security PIN, something that would have prevented third parties from appropriating that account. What would have happened if she hadn't moved quickly is anyone's guess. They could have used her identity to offer dollars to known contacts, taking advantage of trust, or ask for a monetary favor, as happened in Río Negro in May of this year.

The peculiarity of the pandemic

“It is a problem of the operators. They would have to make people more aware to identify these scams and not allow to deliver the SIM with only some data. At some point it was also considered asking for the DNI process number, but as we saw with the Renaper leak, it is not safe either. SIM delivery should be yes or yes at a company branch, where the operator who delivers the SIM physically verifies that he is the owner, ”says computer security specialist Emiliano Piscitelli.

LA NACION consulted Movistar on how someone could request a chip in the name of Lanusse. From the company they explained that it could be a problem associated with a methodology that worked during the pandemic, isolation, protocols. “Once the pandemic and the sanitary confinement measures that led -among other measures- to the temporary closure of the Customer Service Centers (CECs) were installed, the company enabled the sale of chips at different points, such as kiosks, to make it easier for your customers to stay connected and connected. Thus, a chip could be purchased at one of these points and, once installed in the equipment, the person who bought it had to pass 4 identity validation questions and the number of the line in question”. From the company they clarified that this possibility no longer exists. “Currently, and as face-to-face attention was restored at the CECs, Movistar withdrew from the market in Buenos Aires and in the places where it has a presence, the chips that had not yet been sold, for which customers who need to replace their chip must go to a shopping center of the company or call by phone to validate their identity.

Computer security specialist Emiliano Piscitelli points out some aspects to prevent this type of attack that can appear unexpectedly. “You don't have to use your cell phone number to recover passwords or as a second authentication factor. Instead use apps like Google Authenticator, which provide codes within the app. In the event of losing the line, "consult the operator as soon as possible, to find out if it is due to technical problems or if we were victims of this type of attack." A forced airplane mode that Rosario Lanusse will not forget.