The inadequacy of passwords alone to protect logins to applications and services led many businesses to strengthen access using extra authentication factors. In trying to balance security with user experience, many businesses opted for one-time codes sent to smartphones as a second, convenient way to verify user identities.
Ever keen to adapt their tactics, today’s threat actors have devised a way to exploit the prevalence of smartphones in cyber risk management through SIM swapping attacks. Read on to find out what SIM swapping attacks are and how to protect yourself.
SIM swapping attacks occur when a fraudster convinces a mobile carrier to switch a victim’s phone number and account to a new SIM card under the fraudster’s control. A subscriber identity module (SIM) is a card that acts as a portable memory chip, storing information that associates a particular device with a customer account. Social engineering techniques are central to the success of SIM swapping attacks because threat actors need to convincingly impersonate the victim and persuade the mobile phone carrier’s customer service agent to make the change.
Often, the pretext used in these scams is to call the phone carrier and inform the customer service agent about a lost or damaged SIM. The threat actor then requests porting the customer’s phone number to a new SIM that they’ve bought at the store. Another potential pretext is that the customer apparently purchased a new device which requires a different type of SIM card.
Some phone carriers have extra security measures in place to verify a customer’s identity before moving any phone number and account to a different SIM card. The usual process is to ask for a date of birth, address or perhaps a personal identification code (PIN) for verification. Unfortunately, threat actors tend to find this information about individual victims using a range of possible methods, including online searches, dark web data leaks, malware and phishing emails.
When SIM swapping attacks are successful, attackers can then take over a customer’s mobile phone account and receive any text messages or phone calls intended for that person. This hijacking of mobile phone numbers is bad news for a number of reasons:
A February 2022 FBI public service announcement highlighted an increase in SIM swapping schemes targeting U.S. citizens. These schemes typically involved stealing money from fiat (government-issued currency not backed by a commodity such as gold) and virtual currency accounts. In 2021 alone, the FBI’s Internet Crime Complaint Center (IC3) received over 1,600 complaints about SIM swapping attacks, the losses from which added up to over $68 million.
Probably the most high-profile example of a SIM swapping attack occurred in 2019 when hackers broke into Twitter chief executive Jack Dorsey’s own Twitter account. Actor Jessica Alba and civil rights activist DeRay Mckesson were other high-profile victims.
In 2021,10 individuals who formed part of an international SIM swapping crime ring were arrested after they stole up to $100 million from U.S. citizens. These SIM swapping attacks targeted thousands of individuals from influencers to sports stars and their families. A year-long collaborative investigation between law enforcement in five nations resulted in the 10 arrests.
SIM swapping attacks understandably cause concern among cybersecurity leaders, researchers and the general population. In a landscape of complex cyber threats, SIM swapping is frighteningly simple to carry out while also being quite effective, as the stats released by the FBI and the high-profile nature of some victims both demonstrate.
So, what can actually be done to protect against SIM swapping attacks? Here are some tips.