SIM jacking and SIM swapping are types of fraud that involve taking control of a victim's phone number. This can be done by convincing the victim's mobile phone carrier to port their number to a new SIM card, which an attacker can use to get texts on their behalf. The ability to intercept SMS messages, make phone calls, and access two-factor authentication (2FA) codes allows attackers to gain access to one authentication factor for online accounts, such as bank accounts, email accounts, and social media accounts. In these cases, the attacker is looking to get a time-based one-time password (TOTP) used to make sure the user is who they say they are.
There are a few different ways that SIM jacking and SIM swapping are typically carried out. One is to use "social engineering" techniques to trick the victim's mobile phone carrier into porting their number to a new SIM card. The attacker may call the carrier and pretend to be the victim or send the victim a phishing email that contains a link to a fake website that looks like the carrier's website. If the victim clicks on the link and enters their personal information, the attacker can then use that information to port their number to a new SIM card.
Another method of SIM jacking and SIM swapping is to exploit vulnerabilities in the mobile phone carrier's systems. In 2019, a group of hackers was able to steal the phone numbers of over 100,000 T-Mobile customers by exploiting a vulnerability in the carrier's systems. Once the hackers had the victim's phone numbers, they were able to port them to new SIM cards and gain access to the victims' online accounts. We find that a lot of security experts look for fault in the victim, but in this case none of the victims did anything wrong.
There are a few things you can do to protect yourself from SIM jacking and SIM swapping:
Be careful about what information you share online. Don't share your personal information, such as your full name, address, and date of birth, on social media or other public websites.
Use strong passwords and two-factor authentication for all of your online accounts. Two-factor authentication adds an extra layer of security by requiring you to enter a code from your phone in addition to your password when you log in. The username and password combination in conjunction with the text limits the impact of a stolen phone number.
Be suspicious of any calls or emails from your mobile phone carrier. If you receive a call or email from someone claiming to be from your carrier, hang up and call the carrier directly to verify the request.
Call immediately if you get locked out of any accounts. If you get locked out of your account for a given service (bank, credit card, etc), immediately begin the flow to reset credentials and if you don't get a reset email or pin then call. If the phone doesn't work, go straight to the store (don't stop at Go and collect $200 on the way) or call from another phone.
Look for emails about weird account activity. A lot of services will send a friendly reminder that we logged into a site from a new device, if we make a big transaction, or other activities. This isn't just a convenience but it's a subtle (or sometimes not-so-subtle) check to make sure we did something. Read those.
Keep your software up to date. Mobile phone manufacturers (and sometimes carriers) often release security updates that can help to protect your phone from vulnerabilities that could be exploited by attackers.
Use an option other than an SMS for 2FA codes. Some sites will allow users to choose to get codes using an email or even an app that is used just for 2FA codes.
Port freeze the SIM. This is a process where you call the carrier and tell them to freeze the ability to port a number to a new SIM. That'll have to be undone next time you get a phone, likely in person.
Use a SIM Pin code. This process is described in this article by Apple: https://support.apple.com/en-us/HT201529. Newer phones also support eSIM
Another protection is to use a device that's eSIM capable. An eSIM, or embedded SIM, is a digital SIM card that is embedded directly into a device. Instead of a physical SIM card, which is a small, removable chip that stores your phone number and other account information, an eSIM is a software program that is installed on your device. This means that you can activate a cellular plan on your device without having to insert a physical SIM card.
eSIMs are more convenient and secure. eSIMs are more convenient than physical SIM cards because you can activate a cellular plan on your device without having to go to a store or contact your carrier. eSIMs are more portable than physical SIM cards because they are embedded in your device. This means that you can take your device with you and use it on different cellular networks without having to switch SIM cards. eSIMs are more secure than physical SIM cards because they are not removable. This means that your account information is less likely to be lost or stolen. eSIMs also mean there's just one less moving part to break on a device.
eSIMs have been slowly rolling out for a few years. They're currently supported on the following devices:
Phones: Apple iPhone XS and later, Google Pixel 2 and later, Samsung Galaxy S20 and later
Tablets: Apple iPad Pro (2018 and later), Samsung Galaxy Tab S7 and later
Watches: Apple Watch Series 3 and later, Samsung Galaxy Watch 4 and later
Laptops: Microsoft Surface Pro X
To see and use an eSIM on Apple devices, check out https://support.apple.com/en-us/HT212780 - but TLDR: Contact your carrier for an eSIM activation code, from the Settings app in iOS, tap Cellular and then Add Cellular Plan - then enter the code and finish the process.
Many vendors also allow users to use two different eSIMs. This might mean one for work and another for home use. For more on that, see https://support.apple.com/en-us/HT209044.
eSIM can be transferred. eSIM does allow for a process known as "Quick Transfer" - but that's handled on phones directly. eSIM can also be handled through QR codes and directly from within the apps of some cellular carriers. Mobile Device Management (MDM) software can also be used to manage some eSIM options. These allow administrators a higher level of control over corporate owned devices to better protect and leverage eSIM; however this still doesn't fully mitigate the risk.
A number of tools can now be used as a second factor for authentication, instead of a text message that contains a code. A number of vendors have apps that produce the code once they've verified the user, often done through an email and/or text exchange to validate an identity. There's really no perfect way to secure these transactions. They also often require another factor (like a password) to have been compromised in order for a stolen phone number to be weaponized. However, anything that requires two factors is usually a juicier morsel for attackers than things secured by just one factor.
Having said all of this, it's worth noting that the targets are always moving. Attack email as a second factor, people move on to using one-time codes sent via SMS. Attack SMS, people start using dedicated apps. Those still require us to prove our identity somehow. Some of the best systems involve a human in the process. It's not great, nor infinitely scalable like we like to think our businesses are in SaaS, but it's another option.
Comments