What Is SIM Swapping?
SIM swapping is a serious cybersecurity threat — and it’s on the rise, affecting everyone from ordinary people to tech titans like Twitter CEO Jack Dorsey. In this short piece, we’ll explain what SIM swapping is, how it works, and how to protect yourself.
What is SIM swapping?
SIM swapping can be thought of as part social engineering scam, part identity theft. A SIM swap takes place when a bad actor convinces (or bribes) a cellular carrier to transfer a victim’s mobile number to a SIM card that they own.
How does SIM swapping work?
To understand what SIM swapping is, you first have to understand what a SIM card does. “SIM” stands for “subscriber identity module”. As the name implies, a SIM card is how your mobile carrier knows that a given device belongs to you.
SIM cards store a unique identification number and key that authenticate users to the cellular network. Your SIM is associated with your phone number by your mobile provider — which is why you can put your SIM card into a new device and still keep the same number.
And this is where the scam comes in. Fraudsters will call a cellular carrier like AT&T or Verizon and impersonate their target. They’ll say that they’ve lost their SIM card, or claim that it was damaged, and ask to have their target’s phone number transferred to a new SIM card — one which the bad guys control.
If they’re able to convince the person at the mobile company to do this, then they’ve effectively stolen their victim’s phone number: all of that person’s calls and SMS messages will now be routed to the device with the scammer’s SIM card.
Why do phone companies allow it?
Mobile carriers obviously don’t want SIM swapping to happen. If someone calls in saying that they’ve lost their SIM card, the customer service representative for the company will ask them detailed questions to verify their identity. But sometimes that’s not enough.
This is where the social engineering aspect of the scam comes into play: the malicious actor will have already gathered copious personal information on their target, perhaps obtained using phishing emails or by scouring publicly available details from social media sites. If they have enough information to convince the person on the other end that they are who they say they are, then the scam succeeds.
There have also been cases of bad actors working with people “on the inside”, either partnering with someone who works at the cellular carrier or simply paying them a bribe to perform the swap.
Why is SIM swapping dangerous?
The main danger posed by SIM swapping comes from the fact that SMS text messages intended for you are now being routed to a hacker’s device.
This means that even if you’ve set up two-factor authentication, it can now be bypassed — since those one-time SMS authentication codes will be sent directly to the hacker instead of to you. And if bad actors have obtained your login credentials in a phishing attack or data breach, they’ll now have no problem getting into your bank account, PayPal account, or cryptocurrency exchange.
In addition, since SMS messages are often used for password resets, they may not have to steal your credentials at all — they can simply ask that a reset code be sent to your mobile number (which they, of course, control), and then create a new password to access your accounts.
How to prevent SIM swapping
While you can’t control whether or not your cellular carrier’s employees fall for a hacker’s social engineering tactics, you can take several steps to protect yourself from SIM swapping.
Lock down your social media
SIM swapping scams — and other social engineering scams — succeed or fail on the ability of the scammer to convince someone else that they’re you. Unfortunately, with so much of our lives online these days, that can be frighteningly easy for them to accomplish. Simply by perusing your Facebook profile, a bad actor might be able to glean your mother’s maiden name, your hometown, your birthday, the make and model of car that you drive, and other identifying details. That’s why it’s a good idea to limit who can see your posts, photos, contacts, and personal information on Facebook, Instagram, and other social sites. It’s also smart to make sure that your profile can’t be easily found with a simple Google search. Take a look at the privacy settings for the social sites that you use, and make sure your details are only visible to trusted friends and family members. If possible, prevent your profile from being indexed for search engines.
Add a PIN to your mobile carrier account
Most major cellular carriers allow their customers to protect their accounts with a PIN. This adds extra security, because the PIN will be required in order to verify your identity when you call the customer service line or open up a help chat online. While this method isn’t foolproof — after all, it won’t stop a rogue employee from going ahead with a SIM swap for cash — it’s a good precaution to take, as it makes it much harder for a scammer to steal your mobile identity using social engineering tactics alone.
Use an authenticator app for 2FA
If you’re using two-factor authentication, you’re clearly ahead of the curve in terms of digital security and privacy. But relying on SMS messages for 2FA makes you vulnerable to a SIM swapping attack, as discussed above. The good news is that there’s a much safer alternative to SMS: an authenticator app. Services like Google Authenticator or Authy allow you to receive authentication codes via an app installed on your phone — an app tied to your actual, physical device instead of your phone number. These authenticator apps are password protected, and can be configured so that they only work on a single primary device and recovery device. This means that even if a hacker steals your phone number, they won’t be able to access your second authentication factor.
Use RDP alternatives
Many companies look to Microsoft’s Remote Desktop Protocol (RDP) as a quick and easy way to let employees access their work desktops from home. However, RDP has had numerous security issues throughout the years, and is not really suitable for this purpose. Services like ConnectWise Control can provide the same functionality more safely, because they are self-hosted and operate from within your secure network. These tools can also be configured for additional security, with features like two-factor authentication and settings to prevent client machines from copying files.
SIM swapping is disturbing: It’s a massive invasion of privacy, and it has the potential to give a malicious actor control over the very tools that are supposed to keep us safe. But by being aware of the issue — and then taking the simple, commonsense precautions outlined above — you can protect yourself from this threat.