Blog

You are currently viewing Sim Swapping

Sim Swapping

Almost everybody owns a mobile phone these days. By using a mobile phone, you automatically run a cybersecurity risk. One of the most notorious mobile phone attacks, next to phishing by SMS, is SIM swapping.

In comparison to phishing, SIM swapping is relatively unknown to many people, but the (financial) consequences can be much more severe than the ordinary phishing texts almost everyone receives now and then. With this post, I hope to create more insight into what SIM Swapping is, how SIM swapping works, what the risks are, and how you can protect yourself against SIM swapping.

SIM card explained, and SIM Swapping

SIM stands for Subscriber Identity Module. A SIM card is a small, removable card that you can use in your mobile device to store information that identifies the device to a cellular network. It typically contains the device’s unique identification number (IMSI), security authentication and encryption keys, and storage space for contacts and other information. A SIM card allows users to switch between different devices or carriers by removing the card from one device and inserting it into another.

SIM swapping or SIM Hijacking is an attack on your mobile phone that (if successful) grants an attacker control of your phone number. The strategy of a SIM swap attack is to convince a mobile service carrier to update the SIM card associated with a victim’s account. If successful, the service of the SIM and the target’s phone diverts to other SIM cards in the attacker’s possession.

SIM Swapping Strategy

A SIM swap attack starts with research and social engineering attempts against mobile users to gather personal information. The attacker then uses the personal information that the attacker inquires can to impersonate the target. The attacker can do this by setting up communications with the customer service staff of a phone company or with self-service apps or portals to request the SIM swap in case of a self-service app.

Another strategy is to use data breaches of a mobile provider. In one of my first posts on this blog back in August 2021, I wrote about a vast T-Mobile data breach, which eventually led to T-Mobile customers falling victim to SIM-swapping attacks. In December 2021, T-Mobile confirmed this and offered support to customers who became victims of SIM-swapping attacks. T-Mobile also urged its customers to be very vigilant to any suspicious text messages or e-mail messages pretending to be from T-Mobile.

Another popular technique used by an attacker is SIM cloning. By cloning a SIM, the attacker duplicates a SIM card containing all the original SIM card information, including the phone number and all the other victim data. An attacker can use a SIM card reader to copy the SIM card’s data onto a new one.

There are also more creative strategies around. Some attackers create fake websites that provide users with virtual telephone numbers for receiving SMS text messages. The attacker’s objective is to use a virtual telephone number matching the number of the intended target, increasing the chance of a successful attempt to impersonate the target.

Another creative strategy is the use of an “Inny.” An “Inny” is an insider at a telephone store of a mobile provider that can use its privileged access to the customer management systems to swap SIM cards. Especially this trend is a growing issue for cell phone providers.

Goals of SIM Swapping

One of the most common goals of SIM Swapping is bypassing SMS two-factor authentication (2FA) to steal cryptocurrency. There are examples of attackers that probe leaked databases to inquire about personal information about victims, gambling that they can utilize this information as standard PIN codes during the verification process for mobile providers. This attack shows that you should not use personal information or provide answers to security questions that attackers can guess easily. Attackers can not only use your data to impersonate you, but they can also use this information to unlock your accounts.

Protecting yourself against SIM Swapping

You can easily forget that phones have SIM cards because all the mobile applications on them overshadow them. We have entirely forgotten life before smartphones, so we sometimes also fail to protect the information that covers the little motherboard of our mobile phone: the SIM card. Imagine all the private text messages you have saved on the SIM card that can be lost or even extorted by an attacker to blackmail you. Or maybe you have valuable accounts protected with SIM 2FA: protection that depends on that little motherboard inside your mobile phone. You can lose this all if you don’t take the proper steps to protect your SIM card. To prevent attacks, you can take a few steps to avoid becoming a victim of a SIM swap:

  1.  Adopt robust and complex passwords. The easiest way to do this is to use a password manager that generates and safely stores strong passwords. KeePass is, for instance, a great password manager that is also free. This post explains how to set up KeePass.
  2. Set up a second-factor mobile application or biometric-based authentication for 2FA instead of an SMS 2FA.
  3. Never use information in security questions, PIN codes, or publicly available passwords.
  4. Keep an eye on your phone billing statement. If you notice any unusual activity or charges, contact your provider.
  5. Use a virtual phone number or a disposable phone number service to separate your personal information from your phone number.
  6. If you suspect an attacker has compromised your phone number, contact your mobile service provider immediately to report the suspicious activity and request a new SIM card.
  7. Be aware of phishing attempts. An attacker may trick you into giving them your phone number or other personal information. Additionally, an attacker can use a social engineering attempt to try and trick you by creating a “sense of urgency” or a false sense of trust.

Final Thoughts

SIM swapping is a significantly underestimated type of cyber fraud. Many people have no idea that the small SIM card in their telephone has a high-risk profile and that experienced cyber criminals can easily swap a SIM card. The process of SIM swapping requires a certain level of technical knowledge and social engineering which makes it hard for people to understand and recognize the dangers. Additionally, people tend to trust their mobile service providers blindly and that their personal information is well protected. The T-Mobile leak and the fact that social engineering tactics can deceive a provider into transferring the number prove the opposite. So always stay vigilant and protect your little motherboard inside your telephone at all costs.

Feel free to contact me if you have questions or in case you have any additional advice/tips about this subject. If you want to keep me in the loop if I upload a new post, make sure to subscribe so you receive a notification by e-mail.

Tags: , , , , , , , ,

Gijs Groenland

I live in San Diego, USA together with my wife, son, and daughter. I work as Chief Financial and Information Officer (CFIO) at a mid-sized company.

Leave a Reply