SIM Swapping (also known as SIM swap scam, port-out scam, SIM splitting, Smishing, and simjacking) is a type of account takeover cybercrime that involves unauthorized individuals gaining control over a victim’s (individual or organization) phone number by manipulating a vulnerability in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.

How does it work?

SIM Swapping exploits a mobile phone service provider’s ability to seamlessly port a phone number to a device containing a different subscriber identity module (SIM). The process involves;

Information Gathering:

The attacker begins by collecting information about the target. This may include the victim’s full name, phone number, email address, and other personal details. They may obtain this information through online research, data breaches, or phishing attacks.

Contacting the Mobile Carrier:

Armed with the victim’s personal information, the attacker contacts the victim’s mobile cellular service provider. They typically pose as the legitimate owner of the phone number.

Social Engineering:

During the call or contact with the Service Provider, the attacker employs social engineering tactics to convince the Service Provider’s customer service representative that they are the genuine account holder. They may claim to have lost their phone or SIM card, need a replacement due to damage, or cite other plausible reasons for needing a new SIM card.

Verification:

To further convince the Service Provider, the attacker may provide personal information or answers to security questions associated with the victim’s account. They may also exploit any weaknesses in the service provider’s verification process.

Issuing a New SIM Card:

Believing the attacker’s story, the carrier issues a new SIM card to the attacker. In doing so, they deactivate the victim’s legitimate SIM card. The new SIM card has the same phone number as the victim’s.

Activation and Control:

The attacker inserts the new SIM card into a device of their own. This effectively transfers control of the victim’s phone number to the attacker. The victim’s phone loses network connectivity as its SIM card is no longer active.

Exploitation:

With control of the victim’s phone number, the attacker can:

• Intercept calls and text messages intended for the victim.
• Receive two-factor authentication (2FA) codes sent via SMS, allowing them to access the victim’s accounts.
• Reset passwords for various online accounts linked to the phone number.
• Engage in fraudulent activities or conduct identity theft.

Further Exploitation:

The attacker may use the compromised phone number to gain access to the victim’s email, social media accounts, financial accounts, and more. They can change passwords, lock the victim out of their accounts, and commit various forms of fraud.

Covering Tracks:

To avoid detection, the attacker may attempt to cover their tracks by changing settings, deleting messages, or disconnecting the compromised phone number from the victim’s accounts.

High-profile past incidents

2019 – Former Twitter CEO Jack Dorsey’s Twitter account was hacked using SIM-swapping

2020 – May 2020 saw a lawsuit filed against Ellis Pinsky, an 18-year-old Irvington High School senior in Irvington, New York, who was accused alongside 20 co-conspirators for swindling digital currency investor Michael Terpin – the founder and chief executive officer of Transform Group – of $23.8 million in 2018, when the accused was 15 years old, through the use of data stolen from smartphones by SIM swaps. The lawsuit was filed in federal court in White Plains, New York and asked for triple damages.

2021 – The FBI received 1,600 complaints about SIM-swapping in 2021, a sharp increase from the three previous years.

2023 – In August 2023, New York-based financial company Kroll reported a cyber threat actor targeted a T-Mobile US., Inc. account belonging to a Kroll employee in a highly sophisticated “SIM swapping” attack. According to the statement by Kroll, ‘T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor’s phone at their request. As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.’ Actions were however taken immediately to secure the three affected accounts. 

What to do

The recent incident reported by Kroll reignited the need for certain security practices in response to the attack. These include:

Enable a PIN or Passphrase for SIM Card Changes:

Contact your mobile carrier and request the activation of a Personal Identification Number (PIN) or passphrase for any changes to your SIM card or account. This extra layer of security ensures that only you can authorize SIM card replacements.

Use Stronger Authentication Methods:

Avoid relying solely on SMS-based two-factor authentication (2FA) for your accounts. Instead, use app-based authentication, hardware tokens, or other more secure methods for 2FA. Apps like Google Authenticator or Authy are more resistant to SIM swapping attacks.

Secure Your Personal Information:

Be cautious about sharing personal information online, especially on social media and public forums. Cybercriminals often gather details about their targets to facilitate SIM swapping attacks.

Monitor Your Accounts:

Regularly review your financial and online accounts for unusual or suspicious activity. If you notice any unauthorized changes or transactions, take immediate action to secure your accounts.

Implement Account Security Features:

Enable additional security features provided by online services and accounts, such as email and social media platforms. These may include two-step verification, login alerts, and recovery options.

Use a Separate Email for Account Recovery:

Create a dedicated and secure email account that is not publicly associated with your phone number. Use this email for account recovery purposes to reduce the risk of attackers gaining access to your accounts via email.

Limit Personal Information Exposure:

Minimize the amount of personal information available online. Avoid using your phone number as the primary contact for online accounts when possible.

Educate Yourself and Others:

Stay informed about the latest cybersecurity threats and educate your friends and family about SIM swapping and other security risks. Encourage them to take precautions as well.

Use a Secure Mobile Device:

Keep your mobile device secure by using strong passwords or biometric authentication methods. Regularly update your device’s operating system and apps to patch known vulnerabilities.

Consider a Virtual Phone Number:

If possible, consider using a virtual phone number for online accounts and services. Virtual numbers are not tied to a physical SIM card and can provide an added layer of security.

Check with Your Mobile Carrier:

Periodically check with your mobile carrier to ensure that no unauthorized changes have been made to your account. Ask them to review any recent account activity if you suspect foul play.

Report Suspicious Activity:

If you suspect that your phone has been compromised or you notice unusual activity on your accounts, contact your mobile carrier and report the issue immediately. Similarly, report any fraudulent activity to the relevant authorities.

Have a security incident to report? Send an email to help@cchub.africa