The Security Menace of SIM Swapping

The Federal Bureau of Investigation (FBI) has warned about a significant upsurge in smartphone SIM swapping.

SIM swapping, or SIM hijacking, is nothing new, but the FBI issued the alert because of a massive leap in reported cases.

“SIM” means subscriber identity module; it’s the small, removable chip card used in cell phones. Each SIM card is unique and associated with a mobile account. If you remove the SIM card from one phone and place it in another, the phone number and account data are transferred along with the SIM card.

SIM swapping involves fraudulently transferring a victim’s mobile phone number to a new SIM card controlled by a criminal. The attacker can then intercept sensitive information—such as two-factor authentication codes, text messages, and phone calls—and use it to gain unauthorized access to victims’ accounts, steal their money, or commit identity theft.

Smartphones are critical tools for accessing online services that use text messages to send sign-in codes. So, SIM swapping is a serious problem—if criminals can hijack a SIM, they can access their victim’s email, social media, and bank accounts. And complaints to the FBI’s Internet Crime Complaint Center (IC3) have skyrocketed over the past year.

“Once the SIM is swapped, the victim’s calls, texts, and other data are diverted to the criminal’s device. This access allows criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number,” the FBI’s IC3 warns.

The attackers typically gather information about a victim through phishing emails, smishing attempts, vishing, or other forms of social engineering (i.e., “tricking” people into cooperating).

Breaches of corporate and governmental databases are another major source of personal information, readily available on the dark web. In other cases, the criminals will simply bribe or extort mobile-carrier employees into assisting them with the transfer.

Using this personal data, the attackers will contact the victim’s mobile-service provider and pretend to be the victim, requesting a SIM card replacement.

Once the transfer is complete, the victim’s phone will lose service, and the attacker will receive all incoming calls and messages, including those containing sensitive information. This can allow the cybercriminal to quickly hijack their victim’s entire online existence.

How Can I Prevent SIM Swapping?

Fortunately, there are steps that you can take to protect against becoming a victim of SIM swapping.

  • Watch for phishing emails, smishing attempts, and other methods that attackers use to gain information to help them convince your cellphone carrier that they are you.
  • Don’t base your online security and identity authentication solely on your phone number, including text messaging (SMS), which is unencrypted.
  • Boost your online accounts’ security with robust and unique passwords and personal-security questions only you can answer.
  • Consider using an authentication app like Google Authenticator that provides two-factor authentication tied to your physical device rather than your phone number.
  • Monitor your accounts: Regularly monitoring your online accounts for suspicious activity can help you detect and prevent fraud before it causes significant damage.
  • Enable the Lock SIM function (or SIM PIN for iPhones) on your cellphone; this will protect you in the event of your SIM card being physically stolen, as well as helping to prevent SIM swapping.
  • Set up multi-factor authentication (MFA) with your phone service provider, requiring a specific question-and-answer when contacting their customer-service department.

In addition, the FBI recommends that individuals take the following precautions:

  • Do not post information about financial assets, including ownership of cryptocurrency, on social-media websites and forums.
  • Do not provide your mobile-number account information over the phone to “representatives” calling and requesting your account password or pin. Verify the call by dialing your mobile carrier’s customer-service line.
  • Do not store passwords, usernames, or other information on mobile-device applications.
  • Avoid posting personal information online, including mobile phone numbers, addresses, or other personally identifying information.

What Should I Do If I Think My SIM Card Has Been Hijacked?

  1. If you suspect your SIM card has been hijacked, immediately contact your mobile service provider to report the incident and request a new SIM card.
  2. Report the incident to the FBI’s Internet Crime Complaint Center.

SIM-swapping fraud is a serious threat that can have severe consequences for its victims. By taking steps such as using strong passwords, enabling secure multi-factor authentication, monitoring your accounts, and being wary of phishing and smishing, and vishing attempts, you can reduce your risk of falling victim to this particularly insidious type of cybercrime.

If you have any questions about the perils of SIM hijacking, feel free to contact us here at Netmaker Communications; we’ll be happy to discuss them with you.