Sim hijacking / swapping
Page Article
A SIM card, also known as a subscriber identity module, is a smart card that stores data for GSM cellular telephone subscribers. Such data includes user identity, location and phone number, network authorization data, personal security keys, contact lists, and stored text messages. Your SIM card identifies your device when connecting to your cell network, but it also reveals your identity to various services.
SIM swapping is essentially the process of hackers activating your number onto a SIM card of their possession. The process helps them take over your phone number, so next time someone tries to access your online banking account, the cyber criminals are the ones receiving the verification passcode instead of you. This is usually effective when someone wants to reset your password or already knows your password and wants to go through the 2-step verification process. This is called SIM hijacking but is also known as SIM swapping and SIM hacking.
When you call your wireless carrier over the phone, the operator usually goes through a quick verification process with you. They often ask for your full name, address, phone number, DOB, and passcode or the last four digits of your social. All of this information has leaked at some point in the past so hackers might have purchased the data from the dark web or might have used other social-engineering ways to get the needed details.
What could be at risk
- Access to online banking, investing, and other accounts
- Access to social media accounts
- Access to your online property (domain names, social vanity names, etc.)
- Access to apps on your phone
- Access to your phone contacts
- Access to your PII - Name, address, DOB, etc.
- Mobile App Accounts. Use a 2FA option that isn't SMS-based, such as an authentication app on your smartphone. Using text messages(SMS) as a second factor is no longer considered safe. Criminals can bypass two-factor authentication by stealing your phone, phone sim card, or phone number to intercept those one-time verification codes sent to that mobile number by text, email, or phone call. You can go a step further by using a physical token or security key such as a YubiKey or a Titan Security Key, which connects to a computer via USB or wirelessly. You can set up these keys as the second factor for many services. Then when you log in you will have to provide your password and insert the token into your computer and press a small button on the key itself to log in.
- Extra security at your carrier. Proactively harden your account with your cell phone provider. Call their customer support line and inquire about additional steps that are available to ensure that even if someone has all of your information that another piece of information would be needed to prevent unauthentic requests. Ask them if they allow additional security questions or PIN code options for any changes to the account.
- Set a PIN code for your SIM card to protect it in case of theft. You (or anyone with access to your SIM card) will need to enter this PIN anytime you restart your phone or put your SIM card into a new phone. Make sure to store it somewhere safe—and if you can’t remember your code, don’t try to guess it, because too many failed attempts can lock you out of the account.
- Be aware and act fast. Watch out for unexpected “Emergency Calls Only” status. Call your mobile phone company if your phone suddenly switches to "emergency call service only" or something similar. That's what happens when your phone number has been transferred to another phone.
- Be vigilant in about communications you receive. Watch out for phishing attempts, alert messages from financial institutions, and texts in response to two-factor authorization requests.
- Don't link your mobile number to online accounts. Once hackers steal your phone number, they leverage it to reset the password on any online account that’s linked to the number. In many cases, this bypasses two-factor authentication. That’s why having control of a phone number is so powerful. Avoid using your personal cell phone number for all your accounts. Use alternate numbers provided through these options for your online accounts, so they aren’t directly tied to your phone’s SIM card. If possible, you should remove your phone number from any account that could interest hackers. You can still link a type of phone number to those accounts, but we suggest using a VoIP number, such as a Google Voice number, that is SIM hijack-proof. Of course, you must protect this number as well, using a unique password, two-factor authentication on the account, and making sure it doesn’t expire if you don’t use it regularly.