SIM Swap Attack – the New Hijack

SIM Swap Attack – the New Hijack

Imagine no texting, no service, and no data for a minute. Yikes! Halloween or not, the lack of being able to connect is a very scary thought and it can happen to any of us due to a tiny piece of plastic called a SIM card. There is a SIM (subscriber identity module) in every mobile device and it is what connects the user to a cellular network. Unfortunately, there is a wide-spread SIM swap hack that allows a thief to hijack your cell number.

 

Also known as a port out scam, simjacking, swim swapping, and SIM splitting … this latest scam can wreak havoc in all of your accounts associated with your mobile phone number. Everyone with a cell phone is at risk of this type of takeover. The PEW Research Center, a nonpartisan organization based in Washington D.C., reported this year that 96% of Americans have a cellular device and 92% of them go online daily. Considering that there are approximately 330 million Americans, that’s a pretty large target market from a hacking standpoint. No one is immune. A number of high profile attacks have occurred via Instagram and Twitter. The website wired.com reported that Twitter CEO Jack Dorsey’s own twitter account was hacked via this method this year.

 

What is a SIM Swap?

This type of scam is an account takeover fraud. It targets a weakness in two-factor authentication and two-step verification in which the second factor (step) is either a text message or a call placed to a mobile telephone. This is achieved by the fraudster impersonating the victim using personal details to appear authentic and claiming that they have lost their phone. The victim’s phone will then lose connection to the network and the fraudster will receive all the SMS and voice calls intended for the victim. This allows them to intercept any one-time passwords sent via text or telephone calls sent to the victim, and thus to circumvent any security features of accounts (such as bank accounts, social media accounts, etc.) that rely on text messages or telephone calls.

 

Damage from a SIM swap can have a snowball effect. Since the scammer would be armed with your login credentials, not only can they steal your money, take over your email and social media accounts, but they can lock you out of them all and open up a new cellular account in your name … or buy that new phone you’ve been eyeing for months but won’t have the joy of using yourself.

 

Is a SIM swap preventable?

No. It’s impossible to completely prevent someone from gaining access to your phone number through a SIM swap due to the fact that the scam requires no misstep on your part (such as clicking on a bogus link). All the scammer needs to do is convince your carrier that they are you and to transfer your phone number to their SIM. As described by Michael Grothaus with Fast Company, “There’s nothing inherently shady with doing a SIM card swap. If you lose your phone or your SIM card is damaged, for instance, you might go to a mobile carrier store or even call up customer service to have your number transferred to a new SIM.”

 

Even though you can’t prevent a swap from happening to you, there are ways to make it more difficult for a scammer. Grothaus suggests to use an authenticator app such as Authenticator by Google, Microsoft AuthenticatorLastPass Authenticator, and 1Password. A single authenticator app can handle all your authentication codes no matter how many different accounts you use.

 

Other courses of action you can do to help prevent a swap include:

– Limit the personal information you share online. Identity thieves will find information to answer the security questions you may have set up to verify your identity. For example, if one of your security questions is, “What is my high school mascot?” and you list your high school name on your Facebook account and that information is not on a private setting, it’s not difficult for a good sleuth to figure out your mascot’s name.

– Set up a PIN for your cellular account and do not share it with anyone.

– Do not reply to calls, emails and SMS messages that could be a phishing attempt to request your personal data. Make sure to read our blog “Accidentally Clicked on a Phishing Link – Now What” to get up-to-speed on phishing scams.

 

The Federal Trade Commission offers a few tips on what to do if you suspect that you’ve been swapped:

– First, contact your cellular service provider immediately to take control of your phone number. After you re-gain access to your phone number, change your account passwords.

– Check your banking, credit card and insurance statements for unauthorized charges or changes to your profile.

– Call your identity theft resolution provider. A Guard Well Member Services team professional is always on hand for you 24 hours a day, seven days a week and every day of the year … yes, even Halloween. There are enough tricks flying around. Here’s to receiving a treat this year!