Skip to content

Instantly share code, notes, and snippets.

@karllhughes

karllhughes/sim-swap.md

Last active February 13, 2023 19:00
Show Gist options
  • Save karllhughes/91468397b6e275f05509eaa84e577eef to your computer and use it in GitHub Desktop.
Save karllhughes/91468397b6e275f05509eaa84e577eef to your computer and use it in GitHub Desktop.
Download ZIP
What to do if you get Sim-Swapped
Raw
sim-swap.md

Here's how this attack works: https://www.google.com/amp/s/www.zdnet.com/google-amp/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/

Immediate actions

  • Make sure your primary email address has a secure recovery method and remove your old phone number from it.
    • Gmail lets you set "Backup codes" that you can print off to recover your account.
    • Change your email password and put it in a password manager.
    • Remove any link to the old phone number from your email.
  • If you're already locked out of your email, set up a "clean" email account. At this point, your old one is being accessed by hackers and can be used to reset any banking passwords.
    • Store this new email password in a password manager.
    • You can also contact your email provider to ask about recovering the old email, but that may take a while, so you will want to switch as many accounts to the new email as possible.
  • Top concern is making sure hackers can't get access to your bank accounts, retirement funds, social security, file taxes, etc.
    • Change any financial institution passwords, store them in a password manager (see below).
    • If you had to move to a clean email address, make sure to change the email associated with your accounts as well.
    • Call bank, tell them your phone number has been stolen and you'd like to lock any major transactions for 30 days (or until you get your phone number back).
    • Make sure your financial advisor, and anyone who might email you sensitive data knows and uses your new clean email.
  • Go through all your other accounts online and change the passwords (and emails if necessary), storing each in a password manager.

Long-term tips

  • Reset all your passwords. Each account should use a 16+ character, randomly generated password. Use strongpasswordgenerator.com for this.
  • Store all passwords in a password manager (Last Pass, Encryptr, or Keeper).
    • To make your password manager "master password" secure, use a passphrase made of words. This site tells you how to make one: https://www.useapassphrase.com/
    • Don't store this passphrase digitally, but do write it down and store it in a safe place in the house or a lockbox.
  • Enable two factor authentication for every account possible.
  • Never share passwords in email. Use Privnote.com to create one-time links to passwords.
  • Lock your credit. This requires creating pins with all the credit bureaus, but it'll help minimize further identity theft risk.
  • Disable storing passwords in Google Chrome. This allows attackers eith your GMail access to all your accounts at once.
  • Inform your school and employer of the breach. They may want to take extra security matters especially if student data may have been compromised.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment