Protect Yourself From Mobile Phone SIM Swap Hacking
Published 3/7/24
Best practices dictate that you employ two-factor authentication to protect access to your online accounts. Typically, this means that you enter your login ID and password, and then you receive a text message with a code you need to enter to gain access to the site. But hackers are resourceful, and it was a matter of time before these bad actors figured out a way around that as well.
The latest threat is called SIM swapping, and this is how it works.
SIM swapping is a type of hack where criminals take over your phone number by deactivating your SIM card and porting it to a new one that they control. They do this by tricking your carrier into connecting your phone number to a SIM card in their possession, taking over control of your mobile phone’s number. They then can use your number to access your personal information, email, cloud storage, and cryptocurrency accounts by intercepting text messages and two-factor codes.
Most mobile devices that access cellular networks require a SIM card (Subscriber Identity Module) which contains a small chip. That chip is used by the cell phone to identify who you are and what carrier you use (Sprint, AT&T, Verizon, etc.). This is how your phone receives your text messages and not those for other people. That process has kept your phone safe from hackers …until now.
With sophisticated phishing tactics, bad actors have figured out how to steal login credentials (username and password). These thieves then go to a retail store, impersonating the victim. They get a new cell phone and transfer the cell phone number over to that new device just like you do when you buy a new cell phone. They often go to a different carrier and port your phone number to a device on that carrier, making it more difficult to get your identity back, this is called porting fraud.
The hackers then access your accounts and change your password so you cannot see what they are doing, which includes taking your money or other assets and transferring them to their accounts.
How do you protect yourself from this type of attack?
- If your bank or other service provider has alternate methods for the second factor such as an authenticator app, face scan, fingerprint, or hardware token switch to those, as they are not tied to your SIM card.
- Protect your username and password and make sure they are unique for each site (you can use a password manager app so you do not have to remember them all).
- Change your password if you have an account where there has been a breach. You can do a one-off scan on google here to see if your username has been involved in a breach: Scan the dark web for your email address – Google One Help. There are services that will continually scan the dark web for your credentials and alert you when a new one shows up.
- Limit who knows about your wealth and accounts, it can make you a target and can give the hacker a head start on compromising those accounts.
- Be alert for phishing emails and social engineering attacks such as calls that seem to come from your bank asking for sensitive information. You can hang up and call their support line and ask if the issue is legitimate.
- Research the protection your cell phone carrier provides which can include PIN numbers to protect account changes and security questions that only you should know.
Corporations are at risk too
While news of SIM-swapping attacks have focused on consumer victims, companies also need to be aware that similar techniques can be used to target business data and networks. Since SMS messages are still frequently used as part of the two-factor authentication process, fraudsters can use SIM-swapping to target enterprise data. At a time when many employees continue to work remotely and rely on smartphones and other mobile devices to perform their jobs, both personal data and enterprise-level data can be accessed on the same device.
The good news is that this type of attack is more difficult and time-consuming for hackers, so they will target people or companies with enough money or assets to make it worthwhile for them.
As always, stay vigilant and trust your gut; if an interaction or communication seems strange, protect yourself – and your organization.
Further reading:
SIM-Swapping Attacks Threaten Enterprises as Much as Consumers | Dice.com Career Advice