This archive report was first published on 4 September 2019.
On September 4, 2019, Twitter CEO Jack Dorsey's account was compromised in a SIM swap attack, exposing the vulnerability of two-factor authentication via text message.
Attackers hijacked Dorsey's phone number, gaining control of his Twitter account and posting a series of offensive tweets before it was restored.
According to security experts, SIM swap attacks have become a popular break-in method in recent years, targeting weaknesses in two-factor authentication via text message.
"The problem is not over," said Ori Eisen, founder of Arizona-based security firm Trusona, which specializes in authentication without passwords.
Researchers at Kaspersky have reported thousands of SIM swap attacks in countries where mobile payments are common, including Brazil, Mozambique, India, and Spain.
Security systems by many mobile operators are weak and leave customers open to SIM swap attacks, especially if attackers gather information such as birth dates and other data.
"The interest in such attacks is so great among cybercriminals that some of them decided to sell it as a service to others," wrote Kaspersky researchers Fabio Assolini and Andre Tenreiro in a recent blog post.
Experts are calling for better forms of authentication, such as physical keys or software-based systems like Google Authenticator, to prevent SIM swap attacks.