Introduction[edit]

Advanced Mobile Phone Spyware[edit]

Recent revelations highlight that advanced mobile phone spyware (Pegasus) poses a serious surveillance threat. Quote The Guardian: What is Pegasus spyware and how does it hack phones? ^[archive]:

It is the name for perhaps the most powerful piece of spyware ever developed – certainly by a private company. Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met. ... Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix. ... Security researchers suspect more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes.

Contrary to propaganda from NSO Group who develop the tool, Pegasus is already in use by many governments worldwide, posing a significant threat to journalists, human rights defenders, political opponents, businesspeople, heads of state and NGOs among others. ^[1] The Citizen Lab ^[archive] has analyzed various NSO zero-day, zero-click exploits and accurately describes their flagrant breaches of international human rights law: ^[2]

Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating “despotism-as-a-service” for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.

Pegasus threats emphasize that even the most security-conscious individuals cannot prevent such attacks, therefore those at high-risk should limit the use of mobiles for sensitive activities whenever possible:

A compromised mobile phone could turn on the microphone and eavesdrop without any compromise indicator noticeable by the user.
The audio leakage from keyboard typing can be used to infer the words up to a certain degree of accuracy. This might reveal passwords; see Microphone.
Similar risks exist for the in-built camera.
All content on the mobile phone can potentially be exfiltrated, including contacts, media, messages and documents.
All browsing and communications history can potentially be monitored.
Location data might be accessed by adversaries.
Any other data or activities on the mobile phone is at risk of access/exfiltration.

For further in-depth detail see:

Hacks of Telecommunication Providers[edit]

Advanced spyware is not the only risk facing users of mobile devices. In late-2021 it was revealed that state-level adversaries have hacked a number of telecommunication providers, with a persistent presence since at least 2016: ^[3]

LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.

Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.

The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations.

CrowdStrike Intelligence assesses that LightBasin is a targeted intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus.

The CrowdStrike intelligence report confirms that advanced spyware tools are capable of infiltrating various telecommunications companies at present, while remaining undetected for long periods. This has allowed retrieval of highly sensitive information such as call metadata, subscriber details, telephone numbers, GPS location and other data, as well as enabling the fingerprinting of devices. As the investigation revealed core parts of mobile networks are managed by third parties, with limited evaluation and monitoring of security controls on core network systems, little faith should be placed in the security of available infrastructure to protect against advanced threats.

Mobile Security and Privacy[edit]

A complete change of mindset is required with respect to mobile devices. Considering egregious privacy violations by corporate manufacturers and the burgeoning zero-click, zero-day exploit industry that government (customers) is failing to properly regulate, mobile devices should by default be treated with suspicion.

While the majority of the public remains oblivious or purposefully ignorant to the threat of mobile devices, never forget they can:

record your location with incredible accuracy
track connections to other Bluetooth and Wi-Fi access points in your environment
potentially record everything you say via voice recognition applications (or after exploitation)
confirm all network locations
record all communications, videos and pictures (and when/where they transpired with metadata)
record all known accounts, such as social media, messaging applications, financial accounts and more
generate a highly detailed profile based on applications, interests, contacts, browsing and so on

In all circumstances, conduct a personal threat assessment and consider the potential ramifications of a successful exploitation by malicious actors before using mobile devices for sensitive activities.

Best Practices[edit]

As outlined in the introduction, threats to mobile devices are increasing in number, scope and complexity. Therefore a complete change in user behavior is necessary to better protect personal devices and information. In general, the more device features that are enabled, the greater the loss in security -- avoid enabling features simply for personal convenience.

Table: Mobile Devices Best Practices ^[4]

Setting / Behavior	Recommendation	Security Benefit
Applications	Install a minimal number of applications and only those which are essential. Remove unnecessary, default applications if possible. If this is not feasible, then disable the application in settings. Only install software from official application stores. Be cautious if entering personal data into applications; use false information if possible. Fully close (exit) applications when they are not in use. Keep all software and applications updated.	Official store application updates provide partial protection against: spearphishing malicious applications intercepts / untrusted cellular networks room audio / video collection call / text / data collection over network geolocation of device Updated software and applications provide partial protection against: spearphishing malicious applications zero-click exploits malicious Wi-Fi network / close access network attacks intercepts / untrusted cellular networks room audio / video collection close access physical attacks
Attachments / Links	Do not open unknown email attachments and links: Even verified contacts might send malicious content, either accidentally or following a compromise. Malicious actors can impersonate a known contact.	Partial protection against spearphishing and malicious applications.
Bluetooth	Disable Bluetooth when it is not in use, or preferably never activate it. Note that Airplane mode does not always disable Bluetooth.	Near-complete protection against malicious networks / close access network attacks, and collection of call / text / data over network (when cellular and Wi-Fi networks are also disabled). Partial protection against intercepts / untrusted cellular networks, and geolocation of the device.
Biometrics	As noted in the 2FA chapter, do not rely on biometric IDs to protect information or for authentication. ^[5]	Biometric IDs cannot ever be changed if compromised. Volunteering of biometric data is a privacy intrusion and risk.
Case	Consider using a protective case that "drowns" (mutes) the microphone to protect again potential eavesdropping. Cover the camera when it is not in use.	Near-complete protection against room audio/video collection.
Control	Maintain physical control of the device by having it either on your person or in secure storage. Avoid connecting mobile devices to unknown, removable media.	Partial protection against close access physical attacks.
Conversations	Avoid having sensitive conversations near mobile devices.	Near-complete protection against eavesdropping threats (if the device is compromised).
Location	Disable location services either permanently or only activate it when necessary. Do not take mobile devices to sensitive locations or activities.	Partial protection against geolocation of the mobile device. Near-complete protection against room audio/video collection.
Modification	Avoid jailbreaking ^[archive] or rooting ^[archive] mobile devices.	This process can lead to security weaknesses, undermine built-in security measures, and increase the risk of infection by viruses and malware (since software can be installed that is not vetted by hardware manufacturers).
Passwords	Use strong lock-screen pins/passwords at least six digits long. Set the device to automatically lock after five minutes. Enforce a setting so the device is wiped after ten incorrect password attempts.	Partial protection against close access physical attacks.
Pop-ups	Unexpected pop-ups are usually malicious -- follow advice for your particular device (such as Android ^[archive]) to safely remove the offending software. ^[6]	Provides partial protection against the theft of personal or sensitive information, or other malicious activities.
Power	On a weekly basis, power the mobile device off and then on again.	Partial protection against spearphishing and zero-click exploits.
Text Messages and Video / Voice Calls	Text messages or video/voice calls using cellular networks are completely insecure, so avoid any sensitive communications via this method. Use encrypted text, voice and data applications.	Partial protection against: malicious Wi-Fi networks / close access network attacks intercepts / untrusted cellular networks call / text / data collection over network
Trusted Accessories	Only use the original charging cords or accessories or those purchased from a trusted manufacturer. Avoid public USB charging stations. Do not connect mobile devices to sensitive computers, whether it is via a physical connection, Wi-Fi or Bluetooth.	Partial protection against close access physical attacks or supply chain attacks.
Wi-Fi	Avoid connecting to public Wi-Fi networks. Disable Wi-Fi when it is unneeded. Delete unused Wi-Fi networks.	Avoiding public networks provides partial protection against: zero-click exploits, malicious Wi-Fi networks / close access network attacks, call / text / data collection over network, and geolocation of the mobile device. Disabling Wi-Fi and cellular networks provides: Near-complete protection against malicious Wi-Fi networks / close access network attacks, and collection of call / text / data over network. Partial protection against intercepts / untrusted cellular networks, and geolocation of the device.

Bluetooth and Wi-Fi Threats[edit]

Geolocation tracking of mobile devices is not only possible by triangulating mobile antennas (see Hardware Identifiers), but also via the Wi-Fi and Bluetooth protocols. By default, popular mobile device manufacturers like Apple (i-Phone) and Google (Android) have their location-based system services ("Location Services") scan for nearby Wi-Fi access points (APs) or Bluetooth devices. ^[7] ^[8] As a database is maintained with these APs/device locations, unless disabled, mobile devices will passively scan the environment and generate location information that is more accurate than GPS.

The obvious threat is manufacturers and third parties can access this information for detailed tracking information. As Google, Apple and other tech companies are notorious for data harvesting, little faith can be placed in setting changes that disable Location Services. For example, in 2018 it was revealed that some Android and i-Phone services were storing location history even after Location Services was disabled: ^[9] ^[10]

Google services on Android devices and iPhones track and store your location data even if you turn location history off in your privacy settings, according to an Associated Press investigation.
You can turn off location history any time, but some Google apps still store your time-stamped location data, the AP reported. Google also reportedly uses this location data to target ads based on users' specific locations. ...
"Location History is a Google product that is entirely opt in, and users have the controls to edit, delete, or turn it off at any time," a Google spokesperson said in a statement. "As the story notes, we make sure Location History users know that when they disable the product, we continue to use location to improve the Google experience when they do things like perform a Google search or use Google for driving directions."

The Wi-Fi protocol does not just pose an intimate tracking threat. Malicious or "rogue" Wi-Fi APs can be easily set up by low-skilled adversaries using tools like the Wi-Fi pineapple ^[archive]. In essence, these devices establish an AP that can conduct MITM attacks by forcing mobile devices to disconnect from their current Wi-Fi network, while spoofing the the normal Wi-Fi network at the same location with a fake set identifier (SSID). This allows attackers to eavesdrop remotely and collect sensitive personal information (such as passwords), perform malicious redirections, or generally sniff traffic. ^[11] In general, end users do not normally check their device settings for possible rogue APs since the Internet remains accessible during this attack; most will simply trust they have a secure connection. This is one reason why the literature recommends using Tor and/or a VPN when utilizing public Wi-Fi APs, because it obfuscates traffic from potential rogue operators.

Finally, both Bluetooth and Wi-Fi on mobile devices have a unique MAC Address which is necessary for a mobile device to identify itself on the network. Traditionally all devices have used the same MAC addresses across all networks, making it easy for network operators and observers to link that address to specific network activity and locations over time. ^[12] However, later operating system versions of Android and i-Phone are reported to either automatically generate, or have settings for, random Bluetooth and Wi-Fi MAC addresses (without jailbreaking the device). ^[13] ^[14] At a minimum these settings should be confirmed, but again it is safer to either disable these protocols when possible, or not carry a mobile device to sensitive locations.

Hardware Identifiers[edit]

Various identifiers are available to uniquely identify and locate mobile devices, including International Mobile Equipment Identity (IMEI) ^[archive] and International Mobile Subscriber Identity (IMSI) ^[archive].

International Mobile Equipment Identity (IMEI)[edit]

IMEI is a 15 or 17-digit number, usually unique, which is used to identify valid mobile devices on networks (including some satellite phones). ^[15] It can be used to stop stolen devices from accessing the network via a blocklist, even if the subscriber identity module (SIM) is changed. ^[16] It can also be used to locate lost devices, as various services and applications already provide this function. ^[17]

Police, military and government agencies use IMEI as a tracking device, as it can locate mobile devices to within a few meters. The reason is when a mobile device connects to towers, the IMEI and other unique identifiers are shared. Therefore agencies can easily verify the physical location of all phones in a given location, as this information is shared with the government and is subject to warrants and other requests. For example: ^[18]

The military utilize IMEI for targeted drone strikes. ^[19]
Saudi authorities have used IMEI to track women fleeing the regime.
Changing the SIM card will only change the IMSI number (see below) and the IMEI number is unchanged; this action just alerts mobile device companies that a new SIM has been inserted. ^[20]
The IC already utilize IMEI/IMSI catchers for geo-location tracking, eavesdropping, traffic interception and identity extraction. ^[21] ^[22] In simple terms, "fake" mobile towers perform a Man-in-the-middle (MITM) attack between the target mobile device and the service provider's real towers.

The only ways to avoid IMEI tracking are: replacing the handset; physical removal and replacement of a chip to obtain a new IMEI (illegal in many jurisdictions); utilizing a phone with reprogrammable IMEI; or using devices without a SIM card slot (as they do not have an IMEI). Notably, many jurisdictions require IMEI registration in order to access mobile networks.

International Mobile Subscribed Identity (IMSI)[edit]

IMEI is only linked to the device and does not have a particular relationship to the subscriber; that function is related to the IMSI number. IMSI is usually a 15-digit number that uniquely identifies every user of a cellular network, as it is sent by the mobile device to the network: ^[23]

The first 3 digits represent the mobile country code (MCC), which is followed by the mobile network code (MNC), either 2-digit (European standard) or 3-digit (North American standard). The length of the MNC depends on the value of the MCC, and it is recommended that the length is uniform within a MCC area. The remaining digits are the mobile subscription identification number (MSIN) within the network's customer base, usually 9 to 10 digits long, depending on the length of the MNC.

Notably the IMSI is linked to mobile subscriptions or pre-paid plans, the phone number provided by a mobile service, and is hardcoded on the SIM card so it cannot be changed. As both the IMEI and IMSI are registered every time a mobile network connection is made, it is easy for agencies to track this information and query it as necessary.

Numerous IMSI vulnerabilities exist for potential exploitation:

While the IMSI is rarely transmitted and is instead replaced by a temporary mobile subscriber identity (TMSI) to try and prevent eavesdroppers/hackers and identity verification, ^[24] recent 4G and 5G hacks re-enabled the effectiveness of "Stingray Attacks" via IMSI catchers. ^[25]
Researchers have demonstrated IMSI catcher attacks are possible via the Wi-Fi protocol, allowing detailed tracking and MITM attacks. ^[26]
Numerous devices are available to exploit IMSI for either passive dragnet surveillance or for targeted attacks; see here ^[archive].

Conclusion[edit]

In summary, it is evident the IMEI and IMSI identifiers alone pose serious privacy and security threats to mobile devices. Mobile operators and mobile OS software routinely store this information, and the existing protocols are prone to exploitation and allow detailed tracking of movements due to mobile tower triangulation. "Anonymous SIMs" are also a mirage because this will not change the underlying IMEI identifier linked to the handset, which can normally be traced to the purchaser. Further, advanced IMEI/IMSI catcher technology makes it highly like that any targeted mobile device can be easily exploited.

If a mobile device is required for truly anonymous activity, then the best chance is sourcing a dedicated anonymous phone number and/or an anonymous burner phone. This would necessitate an anonymous SIM card (pre-paid with cash) that cannot be linked to you personally. Achieving this goal is difficult -- and potentially illegal depending on the jurisdiction -- and is outside the scope of this documentation.

Phone Number Validation vs User Privacy[edit]

Some applications like Signal and Telegram require the user to provide a phone number for verification.

The mandatory linkage of the software application with a phone number makes it very likely adversaries can easily link any 'anonymous' use of such applications in Whonix ™ with a user's real identity, even if a secondary phone number is used as a limited workaround. At the time of writing user requests to enable registration with an email account as a possible alternative have been ignored or denied by some developers of such applications. For this reason alone, alternative options like Gajim and HexChat should be investigated instead; see Instant Messenger Chat for further information. Readers are of course free to ignore this advice.

In many cases (such as Signal and Telegram) the number can be different form the device's SIM card; it can be a landline or VOIP number, so long as the user can receive the verification code and possesses a separate device to set up the software. A far safer registration alternative is to utilize a random online phone number, see: Phone Number Registration Unlinked to SIM Card.

Also see: Do not Use (Mobile) Phone Verification.

SIM-based Threats[edit]

Simjacker Attack[edit]

The AdaptiveMobile Security Threat Intelligence group confirmed in late-2019 that vulnerabilities linked to technology embedded on SIM cards are being actively exploited. The Simjacker attack: ^[27] ^[28] ^[29]

Utilizes an SMS with malicious code sent to target mobile devices, which then instructs the SIM Card via the "S@T Browser" ^[30] to takeover the mobile and retrieve or perform sensitive operations. Essentially the S@T Browser library is used as an execution environment that can trigger logic on the handset.
Researchers observed the primary information sought is the location (cell ID) and specific device information (IMEI) of handsets, which is then sent back to the attacker via another SMS.
This exfiltration takes place without any observable change on the target handset.
With the STK command set ^[archive], this same technique can also perform:
- misinformation - sending SMS messages with attacker content
- fraud - dialling costly numbers
- espionage - act as a listening device
- malware-spreading - opening malware-loaded web pages
- denial of service - disabling the SIM card
- information retrieval - language, battery level etc.
A wide range manufacturer devices are affected, including Apple, ZTE, Motorola, Samsung, Google, and Huawei. ^[31]

Fortunately this attack has been reported to mobile manufacturers and steps are being taken to close this security hole, including new security recommendations for the S@T Browser technology.

SIM Swapping Attack[edit]

In this attack, a target's account is taken over via fraudulent methods that exploit weaknesses in two-factor authentication (2FA) or two-step verification that rely upon SMS text messages or calls placed to a mobile device. The attack has several steps: ^[32]

Attackers gather information about the intended target, using methods like social engineering, phishing emails or purchasing it from criminal networks.
Once details are harvested, the mobile provider is contacted and convinced to shift the target's phone number to the attacker's SIM. ^[33]
If successful, the target's phone loses its network connection and instead the attacker receives all SMS and voice calls intended for the target.
This information then allows the attacker to access various accounts that rely on 2FA methods (one-time passwords) utilizing SMS text messages or phone calls. Further, many accounts can have passwords reset just by having a listed recovery phone number.

A successful exploitation potentially allows attackers to steal funds from financial accounts, engage in extortion, or sell personal information on the black market.

Malicious SMS Re-routing[edit]

Users who are not exploited by a SIM Swapping Attack can still have messages intercepted by attackers using malicious SMS re-routing. In simple terms, attackers use legitimate text messaging services like Sakari ^[archive] to re-route messages intended for business landlines, VoIP phones or mobile devices. In this case, all that is required is the purchase of a cheap plan, signing up with a target's number, and the completion of a Letter of Authorization (with fake information) "confirming" no unlawful, harassing or inappropriate behavior will be conducted. ^[34]

This attack vector is often overlooked, but highlights that commercial SMS tools are largely unregulated and there are severe weaknesses in the existing telecommunications infrastructure. As per SIM swapping attacks, the ability to intercept SMS text messages will in many cases allow access to the associated accounts of targets via login requests. Perhaps worse, the target/s will never be aware an attack even took place because they will simply not receive messages intended for them.

Companies alerted to this attack have subsequently added a security feature so that calls are placed with users, requiring a security code be sent back to the company to confirm they have consented to a number's transfer. In other cases, a text message is sent to another number of the user or their email address. However, in the absence of a standardized global protocol for text messaging forwarding or improved customer authentication by telecommunication providers, this attack vector will probably remain viable with other providers in the near term who have not improved their security practices.

Telephony Protocols[edit]

SS7 Vulnerabilities[edit]

The Signaling System No. 7 (SS7) is a set of telephony signaling protocols used by telecommunications network operators to talk to each other. This standard has been utilized for older telephony standards such as 3G, 2G and earlier and is being replaced with the Diameter protocol for 4G and 5G networks. In simple terms it supports mobile devices and needed services like roaming, SMS and data -- everything that is unrelated to call signalling. Unfortunately, the protocol has a long history of vulnerabilities: ^[35] ^[36] ^[37]

tracking of mobile device users
text and call interception
eavesdropping by using the protocol to forward/re-route calls
facilitation of decryption by requesting the caller's carrier release a temporary encryption key to unlock communications (after recording)
bypassing of 2FA authentication by routing SMS and confirmation calls to attacker-controlled numbers
denial of service - disabling of calls, SMS and data
various de-anonymization attacks
decrypting calls captured off the air

These are fundamental weaknesses in the protocol and there are very limited countermeasures that users can take to protect themselves. For further reading on this topic, see: Tracking the Trackers: The most advanced rogue systems exploiting the SS7 Network today ^[archive].

Diameter Vulnerabilities[edit]

As noted above, the Diameter protocol is the telephony and data transfer standard in use with today's 4G and 5G networks, which is slowing replacing SS7. Unfortunately it has proven to have many of the same vulnerabilities that are present in the older SS7 standard, despite using encryption for authentication procedures: ^[38] ^[39] ^[40] ^[41] ^[42] ^[43]

Legacy vulnerabilities in the protocol and misconfiguration means the same SS7 threats have been inherited, including tracking of a user's location, interception of sensitive information, and downgrades to insecure 3G networks.
Denial of Service (DoS) attacks have been demonstrated on all mobile networks, including 5G networks.
A high frequency of attacks related to disclosure of subscriber information, location, and network information; this can be used to intercept voice calls, change billing arrangements, and restrict mobile services.
Critical security capabilities of the Diameter protocol are often not enabled. For example, if authentication safeguards are not enabled, attackers can imitate legitimate roaming activity to intercept calls and text messages.

A wealth of research highlights that the Diameter protocol will not automatically solve existing SS7 vulnerabilities, and it is highly likely to be exploited by attackers with increasing frequency as it slowly becomes the dominant protocol world-wide.

Preventative Measures[edit]

In addition to the multiple recommendations in the Best Practices section, consider the additional suggestions below to reduce the likelihood of account exploitation.

Phone Number Registration Unlinked to SIM Card[edit]

SIM cards pose a risk to privacy and also introduce the potential for backdoors and vulnerabilities; for these reasons they are best avoided, particularly for anonymous use of applications. For applications requiring phone number registration, it is possible to use services that provide alternative, online numbers that are linked to a personal account.

Numerous services provide online numbers, but those which are well-tested and use (mainly) free software, such as JMP ^[archive], are recommended. In simple terms, JMP provides an XMPP ^[archive] to SMS ^[archive] gateway service. This means a real phone number can be chosen and used for calls (limited jurisdictions), texts, group messages, and so on: ^[44]

JMP gives you a Canadian or US phone number that is yours to keep (for 46 other countries you can use the the Vonage SGX, also part of Soprani.ca). JMP allows you to send and receive text messages and picture messages using your Jabber client. You can also make and receive phone calls, including receiving voicemails delivered to you as audio recordings and text transcriptions. ... Jabber (and the underlying technology, XMPP) is a federated protocol and open standard for messaging. It uses Jabber IDs (JIDs) to communicate, which are similar to email addresses. As with email, you can get a Jabber ID from one of many free and open servers. ... Jabber is long-standing, widely-used, and privacy-focused. If you have ever used Google Chat, HipChat, the pre-2016 Facebook Messenger, WhatsApp, Kik, Movim, Android Push Notifications, or a private company chat server, then you have used XMPP. ... JMP extends the freedom of Jabber and the XMPP network to cell phone texting.

Registration and use of gateway services require monthly payments, so investigate available cryptocurrency payments methods if the phone number is intended for anonymous activities. The example below shows how to configure the JMP service.

1. Register an account on Jabber/XMPP.

Utilize one of the servers recommended by JMP ^[archive] to register an account.

Figure: Jabber/XMPP Account Registration

2. Perform "web registration".

After selecting a server:

Click "web registration" → Complete necessary fields → Click on "register"

Figure: Complete Web Registration

3. Sign into the account with a recommended Jabber/XMPP client. ^[45]

Figure: Account Login

4. Select one of the numbers located on the main JMP page.

Figure: Phone Number Selection

5. Utilize the Jabber/XMPP registered account.

Since a Jabber/XMPP account was previously registered, select "I already have a Jabber ID I want to use for this number".

Figure: Select Jabber ID Option

6. Add and submit your Jabber ID in the empty field.

Figure: Enter Jabber ID Details

7. Confirm Jabber ID linkage with JMP.

As the Jabber ID was linked with a selected number from JMP, a message should be sent to the Jabber/XMPP account.

Figure: JMP Confirmation Messages

8. Complete payment for the account.

Follow the message instructions to:

type and send "register jmp.chat"; and
choose a method of payment

Figure: Finalize JMP Account Payment

9. Check the account was activated.

After successful payment an activation message will be sent to the Jabber/XMPP account. It is now possible to use the number for various activities; see here ^[archive] for further details.

Figure: Account Activation Message

10. Test functionality of the new phone number.

It is recommended to perform a small test to confirm the number is working correctly. In the example below, an Element Matrix account is linked with the JMP number, which leads to a Matrix verification message being sent to the Jabber/XMPP account.

Figure: Matrix Verification Message

After entering the verification code, the account will be linked successfully to the phone number in use.

Figure: Successful Matrix Account Linkage

Registration Locks[edit]

To minimize the threat of various SIM-based attacks, consider setting a registration lock; prefer messengers or other chat applications that support a Registration Lock PIN over SMS. This prevents someone who gains access to your mobile number from performing re-registration unless they have the associated PIN number:

Signal messenger: three dots → settings → privacy → scroll down → Registration Lock PIN
Telegram: settings → privacy and security → two factor authentication
WhatsApp: settings → account → Two-step verification

Personal Information[edit]

It is hazardous to share personal information online. To reduce the chance of successful attacks: ^[46]

Avoid providing personal information in response to calls, emails, or text messages that request it because they could be phishing attempts. It is far safer to directly contact companies using verified phone numbers or legitimate websites.
Avoid oversharing personal information online; for example, do not post personal details like your full name, address or phone number on public websites. This only assists attackers in answering security-related questions on personal accounts.
In the event you are exploited or exploitation is suspected:
- Contact the mobile service provider to regain control of your phone number.
- Also contact important companies to check for unauthorized changes/charges on accounts, such as credit cards, banks and other financial accounts.
- Inform all contacts of a possible SIM swapping attack. In the event they receive any requests for money or other strange requests, encourage them to call you instead to confirm.

Two-factor Authentication[edit]

Always utilize 2FA for important accounts to prevent unauthorized changes. Prefer strong implementations like physical keys, authenticator applications/ToTP, and push-based 2FA. Do not rely on biometrics, SMS, email or voice-based 2FA.

Phone Number Security Compartmentalization[edit]

Consider using at least two different mobile phone numbers. The first number should be given to friends, "real people", colleges and other non-sensitive contacts. The second phone number should only be provided to banks, financial institutions and perhaps other money-sensitive services that require SMS as a second authentication factor or as a means to contact you.

The rationale is people you know might give your mobile number to others, or their mobile phone may be hacked or stolen. This increases the risk your mobile number might end up being published on the internet, thereby making you a potential target for a SIM swapping attack. However, if different phone numbers are used in different places/contexts, a SIM swapping attack would cause far less damage.

Another reason is the mobile device which is carried outside and used on a daily basis is more likely to be stolen or lost compared to one which is kept in a safe(er) location most of the time. Therefore, in these circumstances a thief using your everyday phone is denied an opportunity to fraudulently access any financial accounts.