What is SIM swapping?
May 3, 2022 / Knowledge

What is SIM swapping?

Did you think that the only way to lose the phone is when someone steals it? Beware of another type of theft when the device does not even leave the pocket. Learn more about sim swapping.

What is sim swapping?

SIM swapping, also named SIM swap scam or SMS hijacking, is identity theft. A cybercriminal steals a person’s phone number by transferring it to a new SIM card.

This attack usually targets weaknesses in two-factor authentication, where the second factor is a text message.

the concept of sim swapping; the phone on the laptop

How does SIM swapping work?

Imagine that you have just lost your phone with your previous SIM card. Most likely, you would call your mobile carrier and ask to transfer your phone number to a new phone, a new SIM card. During a SIM swap scam, the hacker exploits this scenario. He does that impersonating you.

This attack is based on social engineering. Usually, before the breach, the hacker will gather some information about you. The easiest way to do it is to gather leaked information from multiple data breaches.

For instance:

  • Data breach no. 1: your email and password;
  • Data breach no. 2: your name, social security number, and home address;
  • Data breach no. 3: your phone number.

After three data breaches, the attacker has a relatively detailed portfolio to fake you. When talking to mobile customer service, the cybercriminal can answer almost any question about you using such information.

The mobile carrier verifies your identity and successfully transfers your SIM to a new phone, expelling you from your phone number. Now a hacker can use your number to access accounts that use SMS-based two-factor authentication.

What risks does this attack pose?

Probably the most critical risk of a SIM swapping attack is the ability for a hacker to access Two-factor authentification messages that are sent to your phone number.

This is especially dangerous if you reuse your passwords across multiple platforms. Let’s say a hacker successfully enters the username and password combination (data breach no. 1). He can now access sensitive accounts that share the same password. This applies even to the platforms that are protected with two-step authentication.

Consequently, any sensitive information, access to critical files, databases, social media profiles, or financial information can be stolen.

Who can become a victim?

Everybody who was ever breached in a cyberattack can become a target. This theft method is extremely attractive for valuable accounts.

For example, in 2019, SIM swapping technique was used to hijack Twitter’s CEO Jack Dorsey’s Twitter account. Cybercriminals used the access to spread offensive messages.

If you suddenly notice that you can no longer send SMS messages, call, or receive emails about new logins or account changes, you probably fell victim to a SIM swapping scam. Call your mobile carrier or visit a physical store immediately.

a woman chatting on her phone

Is it possible to prevent SIM swapping attacks?

Unfortunately, there are no guaranteed solutions to protect yourself from all types of data breaches and leaks. Yet, some existing methods can help you minimize the risk:

  1. Visit or call a mobile carrier to reset your mobile account PIN. Make sure to select a complex, long combination. Avoid easy-to-guess number sequences such as date of birth or your social security number.

  2. Use different Two-factor authentication methods, such as Authy or Google Authenticator to protect your accounts. Avoid using SMS-based steps only.

  3. Never reuse the same password on more than one account. This will minimize the risk that the hacker guesses your email-password combination in the first place.

  4. Use a password manager to store all your passwords (mobile account PIN included).

5. Set up a call-back feature with your mobile carrier. If someone tries to impersonate you, the customer support specialist can first call you using the existing phone number. If you answer your phone, the carrier knows a cybercriminal is trying to tamper with your account.