Sim-Swapping is a commonly used attack where attackers seize control of your phone number, then seize control over you digital life if your phone number happens also to be your 2FA for your online services. In this article I will try to explain exactly what SIM swapping attacks are and the most effective way to mitigate against them.
The advice herein presumes your mobile device has a baseline level of security established, i.e. no rooting/jailbreaking concerns, etc. and that you haven't recently been a victim of phishing/spear phishing prior to taking these steps. If you suspect you've already been a victim, call your mobile carrier immediately and seek professional mitigation assistance.
What's a SIM Card?
SIM cards are the heart of our mobile devices where regular phone and communications are concerned. They're the tiny little cards we don't often think about that slide inside our mobile device and make our mobile number for phone calls and data plan for using the Internet work.
SIM is another acronym that stands for Subscriber Identification Module. This little card is what connects our phone number and data subscriber plan to a carriers network using a private key that's embedded in the card itself. Why should we have to think about them at all - ever?
What's SIM Swapping?
There is a kind of crime on the rise called "SIM swapping" or "SIM jacking" or "SIM Hijacking". This nefarious activity involves deception and in many cases social engineering.
It typically goes something like this: criminals case your number ahead of time and then contact your mobile carrier over the phone (an AT&T or Verizon or T-Mobile or Sprint store) and choose a new or simple-minded or super-nice and helpful representative that appear to be easy to manipulate.
They've already collected enough personal info (physical address, SSN, phone number, date-of-birth, all of these can easily be had) to impersonate you and then - the key ingredient: they add to this a compelling story, like "My dad died and I need to get on a plane in a few hours and to make it all worse I just lost my phone! Can you help???" in order to get the representative to empathise and work around established security protocols to "help" them.
Generally speaking, we are all good people and want to help whenever we can. Criminals know this and exploit that nature to take control of an account and ultimately a SIM card. It's a lot easier than it might sound.
Once a criminal has taken control of your SIM and thereby your mobile number, some things start to happen - FAST. Here's an idea of what you can typically expect when you are a victim of a successful SIM jacking attack:
- The first thing you might notice is your phone shows "NO SERVICE". Many people don't notice this right away because their phone is also connected to WiFi and things like email, social media, music, continue to work normally - at first.
- It isn't until they notice they're not getting calls or texts that they begin to suspect something is not right. By then, it's too late.
- By then, they will begin to see other weird things like requests being sent to reset passwords, losing access to email, social media, etc. It's a nightmare that seems to happen suddenly, all at once. Criminals who conduct SIM jack attacks aren't so much interested in your text messages or phone calls as much as they are in taking control of your two-factor authentication (2FA) codes from valuable accounts like primary email accounts that are tied to everything, and banking accounts that you have taken extra steps to protect - using your mobile number to receive those 2FA codes. Criminals can initiate password resets across these accounts and then intercept these one-time codes when they have control of your mobile number. Then, they use automated and manual tools to initiate password resets across all your accounts quickly, across more and more of your email and social media accounts, banking, insurance, loans, retail accounts, and more.
- By the time you realize what's happening, you'll panic. But that's not the end of it. This is only the beginning.
- After they've successfully taken over your identity, they resell all of your breached information on the Dark Web. That's when things kick into high gear and make it even more stressful and time-consuming to mitigate and contain.
- The criminals who initiate and successfully achieve the attacks don't often stick around. They sell these compromised accounts to the highest bidder(s) on the dark markets, who often then take the attack to a new level, which involve activities like opening loans and credit cards in your name, new email accounts, and effectively taking over your identity.
- There's going to be a period of damage control that can often take months and even years to clean up depending on how quick and how widespread the criminals activites were, how many account and assets they took control of, and how fast and smart the criminals they sold your identity to are.
Minimize Your Risk Of Getting Swapped
Be pro-active. Minimize your exposure to these crimes with these tips:
Authentication Apps Are Better Than SMS/Text
Using SMS or text message via your real mobile number to receive 2FA codes to login to your most valuable accounts might be easy and straightforward but it makes us super-vulnerable to SIM swapping. Use an app instead, like Authy, Google Authenticator, or Duo. This is called an "out-of-band" method and this approach helps insulate you against SIM swapping attacks by diminishing the value of your SIM card (your mobile number) for the purpose of receiving 2FA codes via text message. Whenever possible, look for ways to use something other than your mobile number to receive these codes. It can save you a lot of pain and suffering, while offering you better protection.
Set A PIN On Your Mobile Carrier Account
If you haven't spoken to your mobile carrier lately, it's worth a call to check in, especially if you suspect you've been compromised at all. Compromise of something small, a Netflix account, an online retail account, or falling for a phishing email that asks for your phone number, name, physical address, anything at all that many people would ignore and hope goes away. These are all often precursors to a SIM attack.
To help prevent this, call your mobile carrier and ask to set a PIN on your account if they haven't already asked you set one. Mobile carriers are starting to make this protocol but if it's been awhile since you've spoken to yours I recommend calling and verifying. Doing this makes it more challenging for criminals to take control of it. By protocol, carrier representatives cannot make changes to your account without that PIN, which is typically a number from 4-8 characters in length.
Set A PIN On Your Physical Device
If you frequently lose your phone or accidentally leave it places, you should consider enabling a PIN on your SIM card in your phone. By this I don't mean a code that you use to login to your phone. Instead, in addition to the code you might use to get into your phone, there's an option to put a PIN, a code, to prevent someone from activating and using your SIM card.
Imagine this: some criminals steal phones. Even if they can't crack the code to get into your phone they can simply remove the SIM card and take control of your mobile number. But not if you've put a PIN on that, too.
Here are some steps to do this on different devices:
Enable PIN for your SIM on iPhone or iPad: https://support.apple.com/en-us/HT201529
Enable PIN for your SIM on Android: https://www.digitalcitizen.life/how-change-or-remove-sim-pin-android-2-steps
Doing so offers you greater peace-of-mind, especially if you're famous for forgetting your phone places.
Avoid Using Your Real Mobile Number
If you don't have to share your real mobile number - don't. For example, remove it from your social media accounts. "What does that mean?" you might ask. We don't always need to offer a mobile number but sometimes do anyway out of habit. Verify that accounts need this information.
If an account your signing up for requires a mobile number, we can use any VoIP service, such as Google Voice, Ring Central, etc. to instead create an online "phone number" that can be used in place of our real mobile numbers, offering us a great level of protection. We should avoid using our actual numbers whenever possible. If your number is tied to a business it may be even more important to consider. Yes, I imagine this is not great advice to hear for many of you but I hope you won't regret ignoring it and at least consider it.
Removing and abstracting your real mobile number from your most valuable online accounts vastly reduces your risks in a successful SIM swap, especially where you have to associate a mobile number to an account.
For example, sign in to the Google Account page and edit your mobile number in the Personal Info section. If you see your mobile number there, replace it with a VoIP number like Google Voice, Ring Central, etc. or remove it altogether (as long as you have another option for receiving 2FA first!).
Remove your mobile number from the Security section, in the Ways we can verify it’s you - this is another good spot to use a VoIP number and not your real mobile. Note that 2FA is turned off in this screenshot. Be sure to re-enable it once you've set up authenticator or are using a VoIP number to receive those 2FA codes so you don't lock yourself out.
Here's another example using Amazon: In Your Account, select Login & Security. Remove your mobile and/or add a VoIP number here.
PayPal is another regular target for criminals. Do the same thing here by clicking the settings (gear icon) in the upper-right-corner of the page once you login. Click Phone and remove your real mobile and add a VoIP number instead to sleep much better at night.
Likewise, consider removing your real mobile number from all your social media, retail, and especially your financial accounts.
Don't go changing too much after reading any of this! Continue to be your kind, sensitive, and helpful self but don't let the baddies take advantage of you. Be kind but skeptical about anyone asking for your personal info in person, via email, and/or text and don't be afraid to ask for verification, call them back using a legit number.
Try thinking of it this way: trust but verify. No one will fault you for due diligence and it might save your identity someday.
If you fear you've been a victim to SIM swapping, seek professional guidance in order to properly mitigate and make good, informed choices against the future. Once you've been compromised, you're predisposed to future issues especially if you don't handle the first incident in a comprehensive and intentional way.
Thanks for reading - please share these tips with your loved ones to help ensure their continued success and safety in the new year.