Sim hijacking / swapping
A SIM card, also known as a subscriber identity module, is a smart card that stores data for GSM cellular telephone subscribers. Such data includes user identity, location and phone number, network authorization data, personal security keys, contact lists, and stored text messages. Your SIM card identifies your device when connecting to your cell network, but it also reveals your identity to various services.
SIM swapping is essentially the process of hackers activating your number onto a SIM card of their possession. The process helps them take over your phone number, so next time someone tries to access your online banking account, the cyber criminals are the ones receiving the verification passcode instead of you. This is usually effective when someone wants to reset your password or already knows your password and wants to go through the 2-step verification process. This is called SIM hijacking but is also known as SIM swapping and SIM hacking.
When you call your wireless carrier over the phone, the operator usually goes through a quick verification process with you. They often ask for your full name, address, phone number, DOB, and passcode or the last four digits of your social. All of this information has leaked at some point in the past so hackers might have purchased the data from the dark web or might have used other social-engineering ways to get the needed details.
What could be at risk
- Access to online banking, investing, and other accounts
- Access to social media accounts
- Access to your online property (domain names, social vanity names, etc.)
- Access to apps on your phone
- Access to your phone contacts
- Access to your PII - Name, address, DOB, etc.
- Mobile App Accounts. Use a 2FA option that isn't SMS-based, such as an authentication app on your smartphone. Using text messages(SMS) as a second factor is no longer considered safe. Criminals can bypass two-factor authentication by stealing your phone, phone sim card, or phone number to intercept those one-time verification codes sent to that mobile number by text, email, or phone call. You can go a step further by using a physical token or security key such as a YubiKey or a Titan Security Key, which connects to a computer via USB or wirelessly. You can set up these keys as the second factor for many services. Then when you log in you will have to provide your password and insert the token into your computer and press a small button on the key itself to log in.
- Extra security at your carrier. Proactively harden your account with your cell phone provider. Call their customer support line and inquire about additional steps that are available to ensure that even if someone has all of your information that another piece of information would be needed to prevent unauthentic requests. Ask them if they allow additional security questions or PIN code options for any changes to the account.
- Set a PIN code for your SIM card to protect it in case of theft. You (or anyone with access to your SIM card) will need to enter this PIN anytime you restart your phone or put your SIM card into a new phone. Make sure to store it somewhere safe—and if you can’t remember your code, don’t try to guess it, because too many failed attempts can lock you out of the account.
- Be vigilant in about communications you receive. Watch out for phishing attempts, alert messages from financial institutions, and texts in response to two-factor authorization requests.
- Don't link your mobile number to online accounts. Once hackers steal your phone number, they leverage it to reset the password on any online account that’s linked to the number. In many cases, this bypasses two-factor authentication. That’s why having control of a phone number is so powerful. Avoid using your personal cell phone number for all your accounts. Use alternate numbers provided through these options for your online accounts, so they aren’t directly tied to your phone’s SIM card. If possible, you should remove your phone number from any account that could interest hackers. You can still link a type of phone number to those accounts, but we suggest using a VoIP number, such as a Google Voice number, that is SIM hijack-proof. Of course, you must protect this number as well, using a unique password, two-factor authentication on the account, and making sure it doesn’t expire if you don’t use it regularly.
Immediate Actions to Stop SIM Swap Fraud
- Contact Your Mobile Carrier: As soon as you suspect a SIM swap (e.g., your phone shows "Emergency Calls Only"), contact your mobile service provider. Inform them about the potential fraud and ask them to deactivate the new SIM card that the hacker might be using.
- AT&T: 1-800-331-0500 or 611 from an AT&T mobile phone.
- Verizon Wireless: 1-800-922-0204 or *611 from a Verizon mobile phone.
- T-Mobile: 1-800-937-8997 or 611 from a T-Mobile mobile phone.
- Sprint (Now part of T-Mobile): For Sprint customer service, use the T-Mobile customer service number, as Sprint has merged with T-Mobile.
- U.S. Cellular: 1-888-944-9400 or 611 from a U.S. Cellular mobile phone.
- Change Online Account Passwords: Quickly change the passwords for your important online accounts, especially for banking, email, and social media. Ensure these passwords are strong and unique.
- Enable Non-SMS Two-Factor Authentication: Switch to app-based or hardware token-based two-factor authentication for all accounts that offer it, as SMS-based 2FA can be compromised in SIM swap attacks.
- Notify Financial Institutions: If your financial accounts could be compromised, inform your banks and credit card companies about the fraud. They can monitor your accounts for suspicious activities and replace your cards if necessary.
- File a Police Report: Report the incident to the police. This can be crucial for identity theft cases and may help in recovering any lost funds.
- Alert Credit Bureaus: Contact credit bureaus to set up fraud alerts or credit freezes. This prevents the opening of new accounts in your name.
Long-Term Recovery and Prevention Steps
- Review Account Activities: Regularly review your bank and credit card statements for any unauthorized transactions. Report any discrepancies immediately.
- Educate Yourself and Employees: If you're a business manager, educate your team about SIM swapping. Awareness can prevent such attacks from happening in the first place.
- Secure VoIP Numbers: If using a VoIP number like Google Voice for 2FA, secure it with a strong password and enable 2FA on the VoIP account itself.
- Regularly Update Security Information: Keep your security questions, backup email addresses, and recovery phone numbers updated and secure.
- Stay Informed: Keep abreast of new security threats and protection measures. Cybersecurity is an ever-evolving field, and staying informed is key to protection.