Michael Wolf
Projects and thoughts from Cincinnati San Jose Oakland an undisclosed location in Grass Valley
Home Projects Photos Github Mastodon Nullbrook RSS
SIM Swapped | They've Come for the Common Folk
Last edited - 2022/02/24

This is a short retelling of a SIM swap attack against me in early 2022. Perhaps it will be useful to anyone else who has also been targeted. Note: All times in my local PST. 0917

On the morning of February 18th, 2022 I was just wiping what sleep I had gotten from my eyes after a night of tending to an infant and was checking up on some SMS messages. I sent a snarky reply to an insurance agent that was trying to upsell me. Given that he had been replying rather quickly previously I looked at my phone a few moments and noticed that my phone was reporting no cell service. Weird, but that's not unheard of with these devices, I opted to restart my phone. When it came back up, I saw a warning: "SIM not provisioned"


Now I began to rack my brain. As I went to go get a paperclip to pop the SIM out, I thought what might cause this. Had my phone bill's autopayment failed? That hadn't happened in the five years since I set it up. Some network issue? An email cleared up everything. The IMSI for my phone number had been updated. What the fuck, T-Mobile? This is clearly a SIM swap. At this point I began the process of contacting T-Mobile support.


While on hold, I got an email that my Yahoo e-mail had been accessed. I'd long despised Yahoo's terrible reliance on SMS as a second factor and now I hated it even more since it was apparently a free back-door into the account as well. I inherited this particular Yahoo account over 15 years ago and had long since using it for anything important.

That being said, I had an idea what the attacker was after: Coinbase. I'd set up the Coinbase account back in 2015 without any intention of using it seriously. When I passed it on to my parents, it kept the terrible yahoo email association. However, I was sure to configure authenticator MFA on it. There wasn't much in the way of money in the account, but the thought of having it compromised really riled me.


Perhaps due to the anxiety of having my sim card swapped, I failed to log into the Coinbase account and immediately started a second phone call with Coinbase support to try to freeze the account. Unfortunately, this requires an SMS to be sent to the phone number on the account which still hadn't been moved back to me.

On the T-Mobile side, the support representative had escalated the case to the second-tier and was working on a way to move the number back to my SIM card. I was looking through the T-Mobile account activity and found the exact time when

This unfortunately told me is that my photo ID is available out there. Not that I'm particularly surprised, it's never fun to see the repercussions of data breaches that are outside one's control. In the meantime, I was locking down everything I could that was associated with either the phone number or email account-- tax software, old social media, anything.


My SIM card was once again active and I learned that I could set a password that the T-Mobile reps could ask before swapping a SIM card. So of course I took the opportunity to do that. I hope that's a default security measure for all new accounts!

After having Coinbase disable any transactions on the account, I was actually able to log in and confirm there were no changes. Furthermore I was able to get back into the yahoo mail account and change the password and remove sessions globally.

By now my anxiety had mostly subsided and I counted myself grateful that modern applications use TOTP rather than ridiculously vulnerable SMS MFA. Despite the added layers of security on my phone number this experience has made me more wary than ever of account security.


After contacting the abuse line at tzulo, owner of the IP address that had logged into my Yahoo account, they pointed me to Mullvad VPN as the client that was forwarding those requests. While there isn't much more for me to do, I filed a complaint with IC3 to be a part of the list of others to do so.