For most of us, smartphones are the hub of our digital lives, providing a place to conduct business, connect and shop. They are often the chosen destination for 2-factor authentication, which makes them ideal targets for scammers.
The first thing you need to know is that this danger requires no special expertise on the part of the criminal targeting you.
SIM-swapping or hijacking targets your subscriber identification module, or SIM card–a small removable chip that connects your phone number to your device. This attack couldn’t be simpler: A criminal transfers your account to a new SIM card. Phone calls, SMS messages and accounts associated with the victim’s phone number are redirected to the new device.
SIM-swapping happens three ways:
- Stealing a physical SIM card from a smartphone.
- Leveraging personal data from data breaches or collected from open-source snooping (social media, mostly) to convince a mobile provider customer service representative to transfer a SIM card account to a new smartphone.
- Bribing the employee of a mobile provider to transfer SIM card account data.
While the first method may pose some difficulties, the second two are easy.
Mobile providers process legitimate requests to reset or transfer SIM card information to new devices all the time. The primary method of authenticating the request is the user’s Social Security number or other personally identifying information that can be found on the dark web.
Paying a customer service representative is an even more direct option. Scammer often bribe or compel an entry-level sales representative at a mobile provider to reroute one phone to another account.
The danger posed by SIM-swapping isn’t hypothetical. The 2019 takeover of Twitter CEO Jack Dorsey’s account on his own platform was the result of a SIM swapping attack, as was the pilfering of over $100 million from cryptocurrency accounts in 2020. The FBI recently warned that SIM swaps had spiked last year, with 1611 reported complaints compared to 320 in 2020.
What Can a SIM-Swapping Attack Do?
- One of the primary threats posed by SIM-swapping is that it provides an easy workaround to 2-factor authentication, where password-based accounts are secured by connecting them to a phone number. A scammer clicks “Forgot Password”, receives a text to the victim’s hijacked phone number and takes control of the account.
- SIM-swapping can also be used in social engineering attacks against their victim’s contacts. By sending a text, DM or WhatsApp message a scammer can gain access to information, request funds, or spread malware to third parties associated with the victim.
- Many financial services rely on phone calls or texts to alert customers to suspicious account activity. That’s not going to happen if you’re a victim of SIM-swapping.
What you can do:
- Create a SIM PIN code so your SIM card can’t be physically transferred to another device:
- If you have an iPhone: On your phone, go to Settings > Cellular > SIM PIN and activate your PIN. Some mobile carriers have default SIM PINs, which can be accessed via their customer service webpage. Don’t try to guess the PIN, as too many failed attempts will lock your SIM card. When you create a PIN, be sure it’s one that you’ll remember, but not one that you use for other accounts.
- If you have an Android device: SIM PIN settings can be found on most Android phones under Settings > Security > Advanced > SIM card lock settings. Double check with your carrier to see if there’s a default PIN code before trying to enter it, as most Android devices will lock after three incorrect attempts. Turn the option to “Lock SIM card” on and enter a new PIN that will be easy to remember but not in use on other accounts.
- Don’t think of 2FA as being a silver bullet for your accounts. For truly sensitive accounts, use an app like Google Authenticator that isn’t connected to your phone number.
- Don’t share too much online. This helps scammers gather enough information on you to convince mobile providers that they’re you, and gives them insight on your contacts.
- Check where you’ve been breached on HaveIBeenPwned.com and subscribe to dark web monitoring. If your name, personal information and Social Security number are out there, you’re at greater risk for SIM-swapping.
- Consider using services like Firefox Relay to mask your email. This creates an email alias for each of your accounts that forwards to your “real” account, and makes it harder to reuse breached information.