Two-factor authentication systems have a drawback that enables scammers to implement an attack known as SIM swap. Thus, they can get access to your accounts using your phone number.
A SIM swap starts when a crook persuades your mobile phone’s service provider to activate a SIM card in their possession. As soon as the carrier gives in, the fraudster owns your phone number, and every call or SMS will reach him instead of you. That’s a SIM swap fraud.
In the current digital context, a SIM swapping means that the bad guys could log in to your bank account through its website, for instance. So the bank sends a code by text using two-factor authentication to ensure security. But the code reaches the scammer, not you. That’s why they performed the SIM swap in the first place. So now the fraudster has your bank account in his power.
As you can imagine, this type of attack can be very harmful. But you don’t need to lose any sleep over this. Protection against SIM swapping is possible and rather simple. The secret is to ensure that potential scammers will never know the logins and passwords you use in your online accounts, especially the most sensitive ones, like your bank’s. And it also helps if you know how to read the writing on the wall so that you can identify the most likely signs of a SIM swap in progress.
What is a SIM card?
We can’t understand SIM swapping if we first don’t know what a SIM card is.
A Subscriber Identity Module (SIM) card is a small plastic piece with a chip. The SIM card is the soul of your smartphone, the thing that brings it alive, enabling it to make or receive messages and calls.
There’s a lot of information within the SIM. It’s the link that connects you to your carrier’s network, granting you permission to make and get calls, among other things. Without the SIM card, your phone can still use a wifi connection, take pictures, and other things, but it can’t work as a proper phone.
The mechanics of SIM swapping
In SIM swapping, a criminal control your phone number by having a SIM card other than yours identified as the owner of such number.
Stealing your number means that the scammers in question did some work beforehand. They started by collecting as much personal information about you as they could in any possible way. For them, anything goes, so don’t expect honorability.
The first step has the scammer calling your mobile carrier. They will claim their SIM card is lost or damaged. Fortunately, they already have a spare in place, and all they need is for an agent to activate this new SIM card so everything goes back to normal. As the company fulfills the request, your number effectively migrates into the fraudster’s device.
And how could they answer the security questions your provider asked? How did they verify your identity with the customer service agent? That’s why they collected data on you beforehand. It could have been through phishing attacks, malware, social media research, or a combination thereof.
For example, maybe they sent you an email supposedly from your mobile carrier. The message would have included a link that you must click immediately, or your account will cancel. So you click. And you arrive at a new page that asks you for personal information such as passwords, birthdays, names, and more. The boldest criminals will even ask for your social security number. So you fill everything out, you click “send.” The bad guys have enough information to persuade your mobile carrier that they’re you and that their new SIM is legitimate.
Other tricksters will make you click on an email link that will take you to the malware main web page, where some nasty pieces of code will arrive in your system. The malware will include a key-logger, so they’ll get your passwords, security question answers, and anything else you type. So this is another way in which the attacker acquires the information needed to get away with murder, figuratively.
Last but not least, your personal information may be available for sale on the dark web.
Once the bad guys control your number, they can use it to take over your communications, bank accounts, text messages, and links to other organizations. Any code sent to your phone to reset passwords or pass 2FA doors will go to them, not you. And that’s everything they need.
Once they can order transfers from your account, getting you money is an accessible task through many tricks. For example, setting up a different account in your name. With fewer security requirements, it will be easy because you are already a bank customer. And money moving between those two accounts will not trigger any security alerts.
SIM swapping and social media
The information about you in your social media profiles can help crooks impersonate you as they prepare to perform a SIM swap on you.