Two-factor authentication systems have a drawback that enables scammers to implement an attack known as SIM swap. Thus, they can get access to your accounts using your phone number.
A SIM swap starts when a crook persuades your mobile phone’s service provider to activate a SIM card in their possession. As soon as the carrier gives in, the fraudster owns your phone number, and every call or SMS will reach him instead of you. That’s a SIM swap fraud.
In the current digital context, a SIM swapping means that the bad guys could log in to your bank account through its website, for instance. So the bank sends a code by text using two-factor authentication to ensure security. But the code reaches the scammer, not you. That’s why they performed the SIM swap in the first place. So now the fraudster has your bank account in his power.
As you can imagine, this type of attack can be very harmful. But you don’t need to lose any sleep over this. Protection against SIM swapping is possible and rather simple. The secret is to ensure that potential scammers will never know the logins and passwords you use in your online accounts, especially the most sensitive ones, like your bank’s. And it also helps if you know how to read the writing on the wall so that you can identify the most likely signs of a SIM swap in progress.
What is a SIM card?
We can’t understand SIM swapping if we first don’t know what a SIM card is.
A Subscriber Identity Module (SIM) card is a small plastic piece with a chip. The SIM card is the soul of your smartphone, the thing that brings it alive, enabling it to make or receive messages and calls.
There’s a lot of information within the SIM. It’s the link that connects you to your carrier’s network, granting you permission to make and get calls, among other things. Without the SIM card, your phone can still use a wifi connection, take pictures, and other things, but it can’t work as a proper phone.
The mechanics of SIM swapping
In SIM swapping, a criminal control your phone number by having a SIM card other than yours identified as the owner of such number.
Stealing your number means that the scammers in question did some work beforehand. They started by collecting as much personal information about you as they could in any possible way. For them, anything goes, so don’t expect honorability.
The first step has the scammer calling your mobile carrier. They will claim their SIM card is lost or damaged. Fortunately, they already have a spare in place, and all they need is for an agent to activate this new SIM card so everything goes back to normal. As the company fulfills the request, your number effectively migrates into the fraudster’s device.
And how could they answer the security questions your provider asked? How did they verify your identity with the customer service agent? That’s why they collected data on you beforehand. It could have been through phishing attacks, malware, social media research, or a combination thereof.
For example, maybe they sent you an email supposedly from your mobile carrier. The message would have included a link that you must click immediately, or your account will cancel. So you click. And you arrive at a new page that asks you for personal information such as passwords, birthdays, names, and more. The boldest criminals will even ask for your social security number. So you fill everything out, you click “send.” The bad guys have enough information to persuade your mobile carrier that they’re you and that their new SIM is legitimate.
Other tricksters will make you click on an email link that will take you to the malware main web page, where some nasty pieces of code will arrive in your system. The malware will include a key-logger, so they’ll get your passwords, security question answers, and anything else you type. So this is another way in which the attacker acquires the information needed to get away with murder, figuratively.
Last but not least, your personal information may be available for sale on the dark web.
Once the bad guys control your number, they can use it to take over your communications, bank accounts, text messages, and links to other organizations. Any code sent to your phone to reset passwords or pass 2FA doors will go to them, not you. And that’s everything they need.
Once they can order transfers from your account, getting you money is an accessible task through many tricks. For example, setting up a different account in your name. With fewer security requirements, it will be easy because you are already a bank customer. And money moving between those two accounts will not trigger any security alerts.
SIM swapping and social media
The information about you in your social media profiles can help crooks impersonate you as they prepare to perform a SIM swap on you.
The answers to your security questions (such as your mother’s maiden name or your high school’s name) could be there on your Facebook or some other platform. But, unfortunately, these guys know how to dig deep and squeeze a Facebook profile for the last drop of potentially helpful information.
However, there is a good thing about social media networks and SIM swaps: these platforms can also alert you when you’re in trouble.
None other than Twitter’s CEO, Jack Dorsey, fell victim to a swim swap not too long ago. First, they hacked his Twitter account and took over his phone number. The hackers then spent 15 minutes having fun using Mr. Dorsey’s Twitter to post offensive messages. So they had their 15 minutes of fame, and it was over.
And how did they manage to pull this trick over such a high-profile personality? In the same way, we’ve described so far. Additionally, they used the Cloudhopper text-to-tweet feature to post the tweets.
SIM swap scams are getting trendy
The FBI has recently informed us that SIM swapping is becoming increasingly popular among digital criminals. Over the last year, the agency had 1,611 sim swapping reports. The financial damages nearly reached 70 million USD.
That rise is dramatic if you consider that, over the previous two years, only 320 swaps happened (reportedly), and the damage was 12 million USD.
Let’s see a more recent example. In January 2022, a Tampa denizen failed to log into his Coinbase account, a cryptocurrency trading platform. A Tampa Bay local TV station (WFTS) reported that the same man found he could not make phone calls or send text messages after that. Of course, you probably already figured out that he was the victim of a SIM swap.
So Mr. Tampa lost about 15K USD worth of his digital assets.
The signs of a SIM swap
If you are the victim of SIM swapping, you must become aware as soon as possible, so you need to know the warning signs. The sooner you react and fix the problem, the less damage you’ll have to absorb.
You can’t make phone calls or send SMS messages
Are you trying to complete a phone call or send an SMS, but you keep getting error messages? That’s the first sign of a SIM swap in progress.
New notifications inform you of other activities
If your mobile carrier lets you know that your SIM card or phone number is active on another device, this is not a sign but a sure thing that you’re in the middle of a SIM swapping.
You can’t use your accounts
Your login credentials are useless to grant you access to some of your accounts –it doesn’t have to be every account you have.
You see transactions you didn’t do
If you see a group of transactions in your credit card statement that you’re pretty sure you didn’t do, that could point to a SIM swap. Somebody is using your credit card to pay for things at your expense without your authorization. While a SIM swapping attack is not the only cause for this, it’s a possibility.
Social media activity that is not yours
This is what happened to Jack Dorsey in one of our previous examples. Many tweets he had not done alerted him that his number was hijacked.
How to protect against SIM swapping
SIM swapping can create tragedies of epic proportions. Be proactive, learn about your security options on Android, iPhone, or any device you’ve — and avoid becoming a victim before it’s too late.
Protect your device and your SIM
Your phone supports several protection methods, such as facial recognition, patterns, passwords, fingerprint scanning, and PINs.
Each one you use adds more security.
And it would help if you also protect your physical SIM. For example, you can give it a PIN, so it becomes locked whenever your phone restarts.
Lock your phone number
Many mobile carriers have Port Freezes or Number Locks. These features ensure that your number can’t be transferred in an unauthorized answer. Once the lock is active, the number has to remain in your current SIM until the lock is removed.
Choose your security questions and passwords correctly
No, your birthday is not a good PIN or password choice. And neither is your middle name.
Good passwords should be impossible to guess. You start with something over 12 characters long, including letters in both cases, numbers, and other symbols. Also, each of your accounts needs a separate password.
Is it hard to remember a large number of solid and long passwords? Unfortunately, yes. That’s why you should also use a password manager.
Two Factor Authentication
It’s an easy and fast way to enhance your security. Please turn on the 2FA feature in any of the online platforms that have it. Choose to authenticate via Google Authenticator or Authy instead of SMS messages.
Enable biometric authentication
Biometric data needs your presence to work, making it more secure than passwords, 2FA, or PINs.
Go further whenever you can and use 2FA biometrics.
Limit your personal information available online
Could you not do the scammers’ work for them? For example, do not share so much information online about yourself that you could get your SIM swapped in the way we have explained here.
Phishing attempts are out there. Be aware
Phishing is the most old-fashioned form of social engineering and hacking. It involves impersonating legitimate organizations like your bank, government institutions, and health authorities in emails and other means of communication. The criminal relies on your trust in these institutions to provide answers quickly.
All that said, neither of those institutions will ever probe you for personal data online.
Conclusion
The problem with SIM swapping is that it’s so stealthy. Most victims won’t know what’s happening until it’s too late. The most significant sign is losing the ability to make calls.
While using your phone number for account authentication is convenient, and it seems safe. But it’s not. It can be hacked through a SIM swap. It will never guarantee your safety or privacy; you need to know that.
So what you need to do is to have many layers of security deployed at all times. If you adopt that strategy, swapping your SIM in itself won’t be enough to threaten you, and you will be able to correct the situation quickly enough.
FAQs
It means to transfer the ownership of a given mobile phone number to a different SIM card.
When a SIM swap occurs, the phone number of the first SIM card is ported to the device containing the new SIM card that becomes the new owner.
These attacks happen when a fraudster persuades a mobile service provider to reassign a given phone number to a different device because of an alleged loss of equipment and other accidents.
