For cell phone owners—and that’s 96% of all Americans, according to the Pew Research Center—you probably only think about your SIM card when you struggle with a paperclip to try to insert the chipped card into a new phone. Unfortunately, thanks to SIM swap attacks, fraudsters are giving victims much bigger reasons to worry about that tiny but essential part of your mobile phone.
What is a SIM swap attack?
In layman’s terms, your SIM is a portable chip that contains your mobile identity, said David Richardson, senior director of product management at Lookout.com.
“A SIM card gives you, among other things, your phone number, and ensures that you receive calls and texts sent to that phone number,” he said.
Thus SIM swapping is a form of mobile identity theft where an attacker uses a second SIM to steal the victim’s phone number. “Once an attacker steals the SIM, they can use it to reset passwords or to gain access to bank accounts by intercepting SMS messages or phone calls,” Richardson said.
SIM swap attacks even happen to those are well versed in tech issues. Case in point: attackers targeted Rob Ross, a former Apple engineer, in a $1 million SIM swap attack in 2018, while Jack Dorsey, founder of Twitter, was hacked earlier this year.
How does a SIM swap work?
What’s worse is a SIM swap attack happens without the thief laying hands on your phone. Instead, the attacker convinces a carrier that they are you, and asks to have your phone number ported to a SIM card the fraudsters own. “This may be via social engineering customer support, abusing password reset flows or having an insider at the carrier willing to assist in the crime,” said Richardson. Once this has happened, the attacker is then able to intercept mobile communications—like texts—that are often used in two-factor authentication (or 2FA) set-ups to help prevent fraud.
That unlocks the real payday of many SIM swap attacks: The keys to your bank account. “Many banks will send your 2FA code to log into your account or reset your password via SMS, which means SIM fraud can intercept these codes to gain access to your accounts,” said Richardson.
As our use of cell phones grows—SIM swapping fraud will likely continue to grow as well.
“SIM swapping has remained an ongoing threat because it leverages social engineering,” said Richardson. “So even though cybersecurity solutions have gotten very sophisticated, there still isn’t any patch for attacks that take advantage of human nature.”
New banking apps and cryptocurrency use may make our lives easier, but they also increase the chances for this type of fraud. There are more possibilities than ever to turn access to someone’s phone number into a way to steal money through services like online banking or payment apps, and to access email and other cloud services or social media accounts, Richardson added.
How can I protect myself from a SIM swap attack?
Although completely avoiding SIM swap attacks isn’t possible with our dependence on phones, there are a few things you can do to help lower the likelihood of fraudulent activity. “First, users should make sure their mobile accounts have good security, such as PIN codes or additional security questions,” said Richardson. “If possible, avoid using SMS messages for two-factor authentication—there are a number of authentication apps that provide a similar service.”
You should also always double check any communications that come through to your phone or email that you don’t recognize. A reverse phone lookup can help verify unknown numbers, while an email search engine does the same for unknown email messages.