SIM Swapping
Our everyday activities have become increasingly reliant on mobile phone connectivity. Even where a phone is not directly involved in a transaction it may be required for a confirmation of identity process such as Two Factor Authentication (2FA). The SIM swap attack revolves around convincing a mobile operator to switch access to an account on another phone. This is not an unreasonable request; the SIM owner may want to replace a lost, damaged or upgraded phone but keep personal records, including the phone number, associated with the original device. Any fraudster that can successfully convince the provider of their authenticity will be have the privileges of a compromised card transferred to a new SIM on a device that they control.
Possession of a genuine active card can provide a criminal with a shortcut to hacking as some information including the phone number is stored on the card and whatever else might be present gives the hacker a leg up when attempting to impersonate an account. When a SIM does need to be replaced, such as when upgrading a phone, hold onto the old card until the new one has been activated and then destroy the original.
Many modern phones and wearable connected devices support a virtual eSIM with some no longer having a physical SIM card slot. This has advantages in allowing several networks to be supported without needing to swap out a card. It does make it easier to add or change networks and although permanently part of a device control is still governed by account credentials. Hijacking an account linked to an eSIM card is not going to be much harder than with a physical card.
An early indication of a successful SIM swap would be the inability to make calls or texts from the original device. Further signs could be a loss of access to other controls and unauthorised online transactions cropping up. The original owner then has the possibly tricky problem of convincing the service operator and any affected accounts that they are indeed themselves, that they did not authorise any changes and they are not themselves part of a scam to avoid paying their own debts.
Any attempt to swap a SIM is going to require successful social engineering attacks before hand to gather enough information about the mark to fool a mobile service provider. This should be hard but is clearly still happening. In March 2023 Jordan Persad from Florida USA was sentenced to 30 months in gaol and ordered to pay $945,833 for his part in a SIM swapping operation. In this example fraudsters obtained files of email address and password combinations, accessed webmail and gained enough details on mobile account numbers to transfer ownership to their own SIM cards. This information was subsequently used to drain almost $1 million in cryptocurrency from online wallets associated with the accounts. A SIM swap on a Tesco Mobile account in February 2022 illustrates how criminals took control of a SIM and used it to take out a £40,000 in cash and loans from the victim’s bank account. All one-time confirmation and security details having been handled through the stolen phone number.
The chances of successful SIM swapping can be reduced by an awareness of social engineering attacks such as phishing but there are other measures that will specifically protect transactions through a mobile account. 2FA may require use of a phone number to send confirmation details but the risk can be reduced by choosing a biometric identifier such as a fingerprint rather than a confirmation code which might be intercepted by a cloned device. Applications such as Google Authenticator reside on a mobile phone but rely on access keys stored on that device only and cannot be transferred.
A suspected instance of a SIM swap should be reported to the service provider. Passwords should be changed on accounts to which the holder still has control. Any access that depends on the original device for authentication should also be revoked. Data held on a phone should be regularly backed up but not on a cloud service linked to the phone account as this could be accessed following theft of that account. With all sensitive data securely backed up Google or Apple have lost device procedures can safely be used to erase all data on a phone.