Sim swapping has become one of the best biggest forms of fraud attack in recent times. For uninitiated, a Sim swap fraud or scam is a type of account fraud, which uses the weakness in 2FA security where your mobile number is the second-factor. So, if you have used your phone number as a second-factor authentication or a recovery method for your account, fraudsters can take hold of your account by swapping your SIM. The most notable of such attacks happened to the micro-blogging site, Twitter's co-founder Jack Dorsey. Mr. Dorsey's account was hacked by swapping the SIM that was associated with his account. That shows that everyone is susceptible to this kind of attack. In this article, we are going to tell you all about the prevalent SIM swapping attacks and you can save yourself from being a victim.
What is SIM Swapping Attack Fraud?
SIM swapping is a type of scam that allows fraudsters to get hold of your phone number which in turn allows them to take over any social media accounts that's linked with it. If you are unlucky, they can even use this trick to get into your bank accounts and that is a disaster that you don't want to go through. If you are thinking, how can anyone get hold of your number, it's easy.
The attackers use the service provider’s ability to seamlessly port a telephone number to a device containing a different subscriber identity module (SIM). This feature was introduced by carriers to help users who have lost their smartphones to easily get their old number back. However, the mobile carriers have become so lax when it comes to verifying the identity of the caller, that they are easily duped. So, someone who has acquired basic information about you can call your mobile service provider and have your SIM ported to a different phone. There also have been cases where attackers payoff an employee to get a specific number ported.
Whatever method an attacker has used to procure your number, it doesn't matter. What matters is that the SIM swap attack gives the attacker access to all your calls and messages. And if you are using SMS as 2FA security or your account recovery method, they can enter your number, get the OTP (one-time-password), and take control of your accounts.
Is It So Easy to Swap Numbers?
I get it. You are not sure that SIM swapping can happen to you there must be some form of customer protection in place. Well, you are not entirely wrong. SIM swapping is not supposed to be easy, however, fraudsters have become so apt at using a combination of social engineering and new methods like phishing, that it is no longer a long shot. Also, the disdain of mobile operators, especially in the US and Canada, in providing any form of a special check to protect their customers is not helping much.
In a recent study conducted at Princeton University, the researchers examined the types of authentication mechanisms in place for such requests at 5 U.S. prepaid carriers—–AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless. They signed-up for 50 prepaid accounts (10 for each carrier), and then made calls to SIM swap those accounts. Their findings are as follows,
"Our key finding is that, at the time of our data collection, all 5 carriers used insecure authentication challenges that could easily be subverted by attackers. We also found that in general, callers only needed to successfully respond to one challenge in order to authenticate, even if they had failed numerous prior challenges".
That is some scary data. Not only they found that they can easily SIM swap, but they also found that only one correct answer was needed to swap the SIM, even in cases where they have given repeated wrong answers. It means, a fraudster can just keep guessing and when they get one answer right, your number is swapped. If that's not apathy towards consumer security from carriers, then what is?
How Can You Protect Yourself from SIM Swapping Attacks
Now that you know SIM swapping is a serious threat to your online and financial privacy, let's see what you can do to stop these attacks. There are several things that you can put in place so you are never a victim of SIM swapping frauds. You can also ensure that you don't suffer any major problems, in case your SIM is swapped. And finally, we will take a look at the steps you can take in the worst-case scenario. So without further ado, let's get started, shall we?
1. Use Carrier PIN Codes
Most US carriers allow users to set a PIN to their phone number. If your carriers support this feature, stop reading and set it up right now. This will stop SIM swaps from happening as the fraudster will be required to give the PIN to activate the process. Since only you have the PIN, they won't be able to swap your SIM card. If you fear that you will forget the PIN, remember to use a good password manager (if you are not doing already so) and stick the PIN in the secure notes feature. This way, your PIN will be secure and available. Here are how you can do this.
For US Mobile Users
Every major US mobile carrier has a detailed page on fighting SIM swapping. You can click on the links below t find the resources that will help you set up a PIN for your account.
- Sprint Users: Log in to your account on Sprint.com. Now, go to My Sprint -> Profile and security -> Security information. Here, update the PIN or security questions, then click Save. Learn more here.
- AT&T Users: Sign in to your account and then click Sign-in info. Here, find Wireless accounts and then go to "Manage Extra Security" under the Wireless passcode section. Here set the PIN and save it. Learn more here.
- T-Mobile Users: You can learn how to set your PIN here. If you are already a victim of SIM swap call T-Mobile immediately, either by dialing 611 from a T-Mobile phone or by calling 1-800-937-8997 from any device. Learn more here.
- Verizon Wireless Users: Visit this page, login with your account, and follow the steps to secure your account.
For Indian Mobile Users
Indian mobile users don't have to worry as much about the SIM swap attack as it's not as easy to port a SIM number in India as it is in US. However, there's always the chance that you lose your mobile or someone steals it. In such cases, anyone can use your SIM to get desired access to your account until you get it blocked. That's why, one should consider setting up a SIM PIN. You can do it really easily regardless of your mobile service provider:
iPhone Users: Go to Settings -> Cellular -> Sim PIN and enable the toggle. It will ask for a PIN first. Here's the default PIN for various service providers in India.
|Mobile Service Provider||SIM PIN|
|Reliance Jio||Try 0000/1234 or call customer care 1800 88 99999|
Android Users: Go to Security & Privacy -> More Settings -> Encryption and credentials -> Set SIM lock. Again use the above default PIN to open the setting and then reset it with your own PIN.
2. Don't Fall for Phishing Scams
The first step in protecting yourself from SIM swapping is ensuring that you are not falling prey to a Phishing scam. A fishing scam is one of the oldest forms of scams. In this, you receive an email or a message from a fraudster impersonating as your mobile carrier or your bank or any such institute. Mostly the messages and emails either warn that you have been hacked and you need to change your account and password or that you have won some money or cash back and you need to enter some personal information to get the prize or refund.
If you receive any such mail or message, cross-check before you click on the embedded link and give away your personal information. Because that information will be saved and used by the fraudster to get your SIM swapped. Remember, 99% of such emails are from frauds and you should never enter any personal information before verifying the sender. If it's an email, you can check the email address and make sure it's legitimate. You can do that by looking at the suffix of the email (the part that comes after @ symbol) and matching it with any previous official emails that you have received. You can also use reverse email lookup services to see if it's a spam or not.
If it's a message, you can use number screening services like TrueCaller to see if it has been reported as spam or not. You should also use your carrier's built-in features to block spam calls and messages. If you are still unsure, call the customer service representative of the company and confirm if they have sent such an email/message or not. Only when you are 100% sure that the message is legitimate should you enter any information.
3. Don't Share Overtly Personal Information Online
Humans are social by nature and we love to share our views and thoughts with the world. There are several social media websites like Facebook, Instagram, Twitter, and more where we love to share with other users. However, remember, any information that you share online can be used against you. Seeing the state of information on Facebook and how easily our data is sold, it would be wise to not share overtly personal information. Remember, you only need to get one answer right to swap the SIM. Make sure you are not the one giving away the information.
4. Don't Use Your Number as 2FA Security or Recovery Method
One thing that I make sure to do is never use my phone number as 2FA security or account recovery methods. It still boggles my mind as to how a thing that is so easily shared can be used as a measure to protect our online privacy. Make sure to use third-party authentication apps like Google Authenticator (free - Android / iOS) as your 2FA security. I prefer Authy (free - Android/iOS) but you can use any app that you want.
Setting up third-party authentication apps can be a bit challenging at first. If you don't know how to do it, check out our guides for setting up authenticator app for Facebook and Twitter authentication. You can find similar guides for other services on the internet. You should do this to minimize the damage a fraudster can cause even if they swapped your number.
5. Use Physical Security Keys
This is a bit extreme security tip. But, if you want to ensure that your accounts are always secure no matter what, you should usie external physical security keys. It is by far the best protection you can have against any kind of phishing or SIM swap attack. For those who don't know, a physical security key is a physical device that plugs into a USB port on your computer and lets you log into your accounts. So, no one can get into your accounts if they don't have the key. You can buy these keys from Amazon. Or you can use your iPhone as a physical security key. Currently, only Google supports iPhone's built-in security key but I am sure as time passes more and more companies will start including this feature.
Steps to Take If You Are SIM Swapped
If worst comes to pass and you are SIM swapped, you should take these steps immediately to minimize the effect of the attack.
- File identity theft report with your local police and contact FTC immediately.
- Alert your banks and other financial institutes about the attack and freeze all your accounts until the situation is resolved.
- Call your mobile service provider and let them know about the fraud. Ask them to return the number to your phone. Here are the customer care numbers for major US and Indian carriers
- US Carriers
- Sprint: 1-888-211-4727 / 1-817-698-4199
- AT&T: 1-800-331-0500
- T-Mobile: 1-800-937-8997
- Verizon: 1-800-922-0204
- Indian Carriers
- Vodafone: 111 - Vodafone customers / 9886098860 (Non-Vodafone customers)
- Airtel: 198 - Airtel customers (check this link for non-Airtel customer care number)
- BSNL: 9415024365
- Reliance Jio: 1800 88 99999
- US Carriers
- Make sure to change the email ID, password, and recovery method of all the accounts associated with that number.
- If you can't change the password as your number was 2FA security (which you shouldn't have - check point number 4), try to contact a customer service representative of each account associated with your number and let them know your situation.
Protect Yourself from SIM Swapping Attacks and Frauds
I hope this article was informative and useful. I have explained the danger of SIM swapping attacks and why you need to protect yourself against them. Also here is the steps you need to take to protect yourself from such attacks and what you can do if you do fall victim to such attacks.