SIM swapping has recently been in the news quite a bit, including the news story about the recently hacked Instagram accounts. In another incident, a cryptocurrency investor’s SIM was swapped, with the criminals robbing him of $23.8 million’s worth of tokens. This person is now suing his phone carrier, AT&T. Other incidents have even seen cybercriminal draining thousands of dollars from individual’s bank accounts.
Why would anyone want to swap your SIM? You’d be surprised. You may be lulled into thinking no one would want to swap your SIM—you may not be a crypto investor or have much money in the bank. While that may be true, anyone and everyone can be the target of a SIM swap. If you have an online presence, that alone makes you a valuable target.
What is SIM Swapping?
First, SIM swapping goes by many names, including these alternative terms:
- SIM porting
- Port out fraud
- Phone porting
- SIM hijacking
Sim swapping is a cyber attack on your phone’s SIM card. In this type of an attack, a cyber criminal gains control over your SIM card, making it usable on their own phone. The criminal then has access to your personal data, phone and can gain access to your Internet accounts that are tied to your phone number. It’s also possible you could be locked out of your services forever.
Their plan may be only to cause mischief but could also include taking money out of your bank accounts, using social media accounts, your email accounts and more.
How Does a SIM Happen?
SIM card swapping is done remotely—the criminal doesn’t need to physically remove the SIM card from your phone. All the hacker needs is some of your personal information—just enough—to contact your phone carrier’s customer service and impersonate you.
If the customer service person believes their story, they’ll activate the new SIM card, after which the hacker will then have access to receive all your calls, data and text messages on the new phone.
The cyber criminal’s intention is to persuade the customer service rep that you need a new SIM card due to some problem such as losing your mobile phone, getting a new phone or perhaps the old SIM cards was damaged or lost. With your personal information, the attacker is issued a new SIM card and can go ahead and access calls, text messages, transaction authorisations and more.
Attackers can also set up new accounts in your name, without you ever knowing. SIM swapping is that easy and that destructive. Scary–that someone you don’t even know can wreak such havoc on your life.
How to Recognise a SIM Swap Attack
The only sign that you’ve been attacked is if your phone suddenly isn’t able to send or receive text messages and other types of weird behavior. You may also receive notifications from your carrier that your phone and/or SIM have been activated somewhere else. You may also find it impossible to sign into your online accounts, including financial accounts.
Other signs you’ve been the victim of a Sim-jack may include:
- You may receive a call or text from your service provider saying, “Sorry we were just disconnected…” If this happens, it could be a sign you’ve been hacked. Someone may have been talking with the customer service rep and then hung up, only to call back and try again.
- You receive notifications or emails from your phone carrier saying that your password was reset. After this, your phone may stop working, unless you’re connected to WiFi and can still receive email.
- Suddenly, your phone stops working. Turning it off and restarting it doesn’t get it working again and there’s absolutely no cell signal.
- You are notified by other services that you no longer have access a phone-level account (such as a Google Account or perhaps your AppleID) and you’re required to re-enter your password.
- You may be notified that your Android account was added to a new device.
- Your iOS account may ask if you’re logging in from a new location.
- For any non-SMS 2FA mechanisms which use push notifications, such as Microsoft Authenticator, you may receive a notification giving you a code you supposedly requested or asking if you’re trying to login.
Preventing a SIM Swap Attack
While it seems easy for cyber criminals to gain access to your SIM, there are some things you can do to help prevent a SIM swap attack.
1). Avoid phishing scams: some SIM swap attacks start with a phishing attack. You may receive emails that contain malicious links, a bogus login screen, fake address bar, etc. Avoid clicking anything, downloading programs/photos/documents and don’t sign into your account via the screens provided within the emails. If you do, criminals will then have access to some very important personal information, which they can use to hack your SIM.
2). Reduce your personal data online: avoid, as much as possible, sharing personal information online. This includes:
- Phone number
- Birth date
- Mailing address
- And more
These bits of information are all hackers need to steal your SIM. Some of this information is necessary for some sites, such as shopping and banking sites; however, avoid making this information searchable. Don’t include personal data in social media posts, for instance. And if you have accounts you no longer use, be sure to close and delete them. Even these type accounts could be accessed by hackers. The information you have stored online is a gold mine to them.
3). Use an authenticator app: many of us have set up 2-step authentication, which is great! However, it won’t help if a hacker gains access to your SIM and your personal data. So, step up the authentication with an authenticator app. The apps are physically tied to your phone, not your SIM card.
They’re easy to use, too. When you need to access an account set up with this type of 2-step authentication app, just open the app, choose the account and input the 6-digit code. These codes update every 30 seconds, and stays in sync with your phone, not your SIM card. This makes it more difficult for criminals to then access any account you’ve tied to the authentication app.
4). PIN your mobile phone account: what does this mean? Some carriers allow you to set up a PIN number to protect your account from unauthorised use and changes. This is one of the best ways to foil a SIM hijacking.
5). Security recovery questions: create answers that are not tied to your personal data and that no one else would know.
6). Use a password manager: many of these services provide long, unique passwords for each account. In fact, you can let the password manager generate the password for you. The password is stored in the app, so you don’t need to remember it. The only password you will have to remember is the master password to sign into the password manager. These provide another strong layer to foil a cybercriminal.
7). Note all important information for each of your online accounts: this may be a little tough, but it may help if you’re the victim of a SIM swap. For each account write down:
- The date/month the account was created
- Addresses associated with the account
- Credit/debit card numbers used for purchases (to confirm you’re the one that’s been using the account)
- Any screen names you may have used in the past for the account(s)
- Email addresses used to access the account(s)
While you’re going through this process, it’s an excellent time to update passwords and other login information. Once you have everything done, put everything together in one secure place. It might be a good idea to write it out or print it—avoid saving it in one of your online accounts, as this could easily be hacked.
We hope this information has helped you to understand what a SIM card swap is and how to protect yourself. Everyone is a target these days and it pays to keep yourself protected as much as possible to avoid the devastating effects of a SIM swap.
6th February 2020
31st January 2020
27th January 2020