Sim swapping has become one of the best biggest forms of fraud attack in recent times. For uninitiated, a Sim swap fraud or scam is a type of account fraud, which uses the weakness in 2FA security where your mobile number is the second-factor. So, if you have used your phone number as a second-factor authentication or a recovery method for your account, fraudsters can take hold of your account by swapping your SIM. The most notable of such attacks happened to the micro-blogging site, Twitter's co-founder Jack Dorsey. Mr. Dorsey's account was hacked by swapping the SIM that was associated with his account. That shows that everyone is susceptible to this kind of attack. In this article, we are going to tell you all about the prevalent SIM swapping attacks and you can save yourself from being a victim.
SIM swapping is a type of scam that allows fraudsters to get hold of your phone number which in turn allows them to take over any social media accounts that's linked with it. If you are unlucky, they can even use this trick to get into your bank accounts and that is a disaster that you don't want to go through. If you are thinking, how can anyone get hold of your number, it's easy.
The attackers use the service provider’s ability to seamlessly port a telephone number to a device containing a different subscriber identity module (SIM). This feature was introduced by carriers to help users who have lost their smartphones to easily get their old number back. However, the mobile carriers have become so lax when it comes to verifying the identity of the caller, that they are easily duped. So, someone who has acquired basic information about you can call your mobile service provider and have your SIM ported to a different phone. There also have been cases where attackers payoff an employee to get a specific number ported.
Whatever method an attacker has used to procure your number, it doesn't matter. What matters is that the SIM swap attack gives the attacker access to all your calls and messages. And if you are using SMS as 2FA security or your account recovery method, they can enter your number, get the OTP (one-time-password), and take control of your accounts.
I get it. You are not sure that SIM swapping can happen to you there must be some form of customer protection in place. Well, you are not entirely wrong. SIM swapping is not supposed to be easy, however, fraudsters have become so apt at using a combination of social engineering and new methods like phishing, that it is no longer a long shot. Also, the disdain of mobile operators, especially in the US and Canada, in providing any form of a special check to protect their customers is not helping much.
In a recent study conducted at Princeton University, the researchers examined the types of authentication mechanisms in place for such requests at 5 U.S. prepaid carriers—–AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless. They signed-up for 50 prepaid accounts (10 for each carrier), and then made calls to SIM swap those accounts. Their findings are as follows,
"Our key finding is that, at the time of our data collection, all 5 carriers used insecure authentication challenges that could easily be subverted by attackers. We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges".
That is some scary data. Not only they found that they can easily SIM swap, but they also found that only one correct answer was needed to swap the SIM, even in cases where they have given repeated wrong answers. It means, a fraudster can just keep guessing and when they get one answer right, your number is swapped. If that's not apathy towards consumer security from carriers, then what is?
Now that you know SIM swapping is a serious threat to your online and financial privacy, let's see what you can do to stop these attacks. There are several things that you can put in place so you are never a victim of SIM swapping frauds. You can also ensure that you don't suffer any major problems, in case your SIM is swapped. And finally, we will take a look at the steps you can take in the worst-case scenario. So without further ado, let's get started, shall we?
Most US carriers allow users to set a PIN to their phone number. If your carriers support this feature, stop reading and set it up right now. This will stop SIM swaps from happening as the fraudster will be required to give the PIN to activate the process. Since only you have the PIN, they won't be able to swap your SIM card. If you fear that you will forget the PIN, remember to use a good password manager (if you are not doing already so) and stick the PIN in the secure notes feature. This way, your PIN will be secure and available. Here are how you can do this.
Every major US mobile carrier has a detailed page on fighting SIM swapping. You can click on the links below t find the resources that will help you set up a PIN for your account.
Indian mobile users don't have to worry as much about the SIM swap attack as it's not as easy to port a SIM number in India as it is in US. However, there's always the chance that you lose your mobile or someone steals it. In such cases, anyone can use your SIM to get desired access to your account until you get it blocked. That's why, one should consider setting up a SIM PIN. You can do it really easily regardless of your mobile service provider:
iPhone Users: Go to Settings -> Cellular -> Sim PIN and enable the toggle. It will ask for a PIN first. Here's the default PIN for various service providers in India.
|Mobile Service Provider||SIM PIN|
|Reliance Jio||Try 0000/1234 or call customer care 1800 88 99999|
Android Users: Go to Security & Privacy -> More Settings -> Encryption and credentials -> Set SIM lock. Again use the above default PIN to open the setting and then reset it with your own PIN.
The first step in protecting yourself from SIM swapping is ensuring that you are not falling prey to a Phishing scam. A fishing scam is one of the oldest forms of scams. In this, you receive an email or a message from a fraudster impersonating as your mobile carrier or your bank or any such institute. Mostly the messages and emails either warn that you have been hacked and you need to change your account and password or that you have won some money or cash back and you need to enter some personal information to get the prize or refund.
If you receive any such mail or message, cross-check before you click on the embedded link and give away your personal information. Because that information will be saved and used by the fraudster to get your SIM swapped. Remember, 99% of such emails are from frauds and you should never enter any personal information before verifying the sender. If it's an email, you can check the email address and make sure it's legitimate. You can do that by looking at the suffix of the email (the part that comes after @ symbol) and matching it with any previous official emails that you have received. You can also use reverse email lookup services to see if it's a spam or not.
If it's a message, you can use number screening services like TrueCaller to see if it has been reported as spam or not. You should also use your carrier's built-in features to block spam calls and messages. If you are still unsure, call the customer service representative of the company and confirm if they have sent such an email/message or not. Only when you are 100% sure that the message is legitimate should you enter any information.
Humans are social by nature and we love to share our views and thoughts with the world. There are several social media websites like Facebook, Instagram, Twitter, and more where we love to share with other users. However, remember, any information that you share online can be used against you. Seeing the state of information on Facebook and how easily our data is sold, it would be wise to not share overtly personal information. Remember, you only need to get one answer right to swap the SIM. Make sure you are not the one giving away the information.
One thing that I make sure to do is never use my phone number as 2FA security or account recovery methods. It still boggles my mind as to how a thing that is so easily shared can be used as a measure to protect our online privacy. Make sure to use third-party authentication apps like Google Authenticator (free - Android / iOS) as your 2FA security. I prefer Authy (free - Android/iOS) but you can use any app that you want.
Setting up third-party authentication apps can be a bit challenging at first. If you don't know how to do it, check out our guides for setting up authenticator app for Facebook and Twitter authentication. You can find similar guides for other services on the internet. You should do this to minimize the damage a fraudster can cause even if they swapped your number.
This is a bit extreme security tip. But, if you want to ensure that your accounts are always secure no matter what, you should usie external physical security keys. It is by far the best protection you can have against any kind of phishing or SIM swap attack. For those who don't know, a physical security key is a physical device that plugs into a USB port on your computer and lets you log into your accounts. So, no one can get into your accounts if they don't have the key. You can buy these keys from Amazon. Or you can use your iPhone as a physical security key. Currently, only Google supports iPhone's built-in security key but I am sure as time passes more and more companies will start including this feature.
If worst comes to pass and you are SIM swapped, you should take these steps immediately to minimize the effect of the attack.
I hope this article was informative and useful. I have explained the danger of SIM swapping attacks and why you need to protect yourself against them. Also here is the steps you need to take to protect yourself from such attacks and what you can do if you do fall victim to such attacks.