SIM Swapping Attacks – What They Are and How to Protect Yourself

The inadequacy of passwords alone to protect logins to applications and services led many businesses to strengthen access using extra authentication factors. In trying to balance security with user experience, many businesses opted for one-time codes sent to smartphones as a second, convenient way to verify user identities.

Ever keen to adapt their tactics, today’s threat actors have devised a way to exploit the prevalence of smartphones in cyber risk management through SIM swapping attacks. Read on to find out what SIM swapping attacks are and how to protect yourself.

What Are SIM Swapping Attacks?

SIM swapping attacks occur when a fraudster convinces a mobile carrier to switch a victim’s phone number and account to a new SIM card under the fraudster’s control. A subscriber identity module (SIM) is a card that acts as a portable memory chip, storing information that associates a particular device with a customer account. Social engineering techniques are central to the success of SIM swapping attacks because threat actors need to convincingly impersonate the victim and persuade the mobile phone carrier’s customer service agent to make the change.

Often, the pretext used in these scams is to call the phone carrier and inform the customer service agent about a lost or damaged SIM. The threat actor then requests porting the customer’s phone number to a new SIM that they’ve bought at the store. Another potential pretext is that the customer apparently purchased a new device which requires a different type of SIM card.

Some phone carriers have extra security measures in place to verify a customer’s identity before moving any phone number and account to a different SIM card. The usual process is to ask for a date of birth, address or perhaps a personal identification code (PIN) for verification. Unfortunately, threat actors tend to find this information about individual victims using a range of possible methods, including online searches, dark web data leaks, malware and phishing emails.

Potential Consequences of SIM Swapping Attacks

When SIM swapping attacks are successful, attackers can then take over a customer’s mobile phone account and receive any text messages or phone calls intended for that person. This hijacking of mobile phone numbers is bad news for a number of reasons:

• Bypassing MFA: Multifactor authentication plays an important role in modern authentication by requiring two or more categories of evidence to verify user identities at the point of logging in to apps and services. In a world where a combination of username-password pairs and one-time codes sent to smartphones are the most prevalent MFA implementation, seizing control over someone’s phone number can help to bypass MFA (as long as the fraudster also possesses the victim’s password and username too).
• Smishing: Another consequence of SIM swapping attacks is the potential for conducting further social engineering tactics, such as smishing. After partly assuming a particular person’s identity by taking control of their phone number, threat actors can send text messages to the victim’s contacts, such as coworkers, and get them to reveal confidential information.
• Fraud: When online banking, cryptocurrency or other financial accounts are linked to particular phone numbers, there is also the potential for fraudsters to initiate fraudulent transactions.

SIM Swapping Attacks: Statistics and Incidents

A February 2022 FBI public service announcement highlighted an increase in SIM swapping schemes targeting U.S. citizens. These schemes typically involved stealing money from fiat (government-issued currency not backed by a commodity such as gold) and virtual currency accounts. In 2021 alone, the FBI’s Internet Crime Complaint Center (IC3) received over 1,600 complaints about SIM swapping attacks, the losses from which added up to over $68 million.

Probably the most high-profile example of a SIM swapping attack occurred in 2019 when hackers broke into Twitter chief executive Jack Dorsey’s own Twitter account. Actor Jessica Alba and civil rights activist DeRay Mckesson were other high-profile victims.

In 2021,10 individuals who formed part of an international SIM swapping crime ring were arrested after they stole up to $100 million from U.S. citizens. These SIM swapping attacks targeted thousands of individuals from influencers to sports stars and their families. A year-long collaborative investigation between law enforcement in five nations resulted in the 10 arrests.

How to Protect Against SIM Swapping Attacks

SIM swapping attacks understandably cause concern among cybersecurity leaders, researchers and the general population. In a landscape of complex cyber threats, SIM swapping is frighteningly simple to carry out while also being quite effective, as the stats released by the FBI and the high-profile nature of some victims both demonstrate.

So, what can actually be done to protect against SIM swapping attacks? Here are some tips.

• Businesses should consider alternative multifactor authentication implementations that are less easy to exploit. Tying application logins to biometric scans or tokens in a user’s physical possession would bring extra security, with perhaps only a slight impact on user experience.
• Individuals should limit the information they share on social media platforms, including professional networking sites like LinkedIn. It’s prudent to opt for the most restrictive privacy settings so that only existing friends can view certain information. Consider not posting certain information at all, such as phone numbers or addresses.
• Effective password hygiene practices can help to ensure that people don’t expose their accounts to a potential takeover. These practices include not reusing the same passwords across multiple services and setting strong passwords that aren’t easily crackable.
• Mobile phone carriers should invest appropriately in cyber training and awareness for customer-facing staff who handle SIM change requests. After all, the success of SIM swapping attacks is predicated on social engineering, and education can go a long way toward reducing the likelihood of success here.