24 Sep SIM Swap Fraud: The Latest Battle In The War For Your Identity
This type of attack gives criminals access to anything your phone number is linked to, including your email and bank accounts
– Casey Crane
St. Petersburg, Fla. – Sep. 24, 2019
In our connected world, mobile devices are everything. We use iPhones, Androids, and other such devices for communication, work, banking, and entertainment. Phones are used to capture and store memories in videos and pictures. They help us manage the private files in our cloud storage accounts and organize our lives. SIM cards, small chip-containing cards within our mobile phones, are what allow us to do all of these things and stay connected with family and friends no matter the physical distance.
But what happens when use of these cards is stolen from us? That’s one of the many questions that the victims of SIM swap fraud, or what’s referred to as a SIM swap attack, face each day.
To understand what a SIM swap attack is, you need to understand what SIM cards are and how they are affected by SIM swap scams. In this article, we’ll cover all of these things, share insights from a SIM swap fraud victim, and address how you can protect yourself from this type of crime.
What is a SIM Card and Why is it So Important?
First, let’s cover what a SIM card is. A SIM card, which stands for a subscriber identity module card, essentially is your phone’s unique identifier. It’s the equivalent of your phone’s passport or ID card. It’s a small chip-containing card that’s used by cellular providers to individually identify each of us as subscribers and allow us to communicate with their specific mobile networks. This tiny piece of tech allows us to use our mobile devices to make phone calls, send or receive text (SMS) messages, and take advantage of 3G, 4G, and 5G networks.
In many countries, SIM cards are locked to specific cellular carriers. However, not all SIM cards are limited to specific carriers. Some are mobile, meaning that you can simply remove the card and place it in an upgraded or replacement phone without issue.
There’s also a function that most (if not all) major carriers can perform that helps customers get connected quickly in the event that something happens to their phone. This capability, known as SIM swapping, is a useful function that allows you to transfer your mobile account from one SIM card to another. This comes in handy if you’ve accidentally lost your phone or somehow damaged your SIM card.
However, this useful tool also doubles as a security risk when cybercriminals decide to use it to their advantage. This is what’s known as SIM swap fraud, SIM swap attack, or phone account hijacking.
What is SIM Swap Fraud?
Never heard of any of these terms? You’re not alone. What may come as a surprise is that this seemingly high-tech con job is thought to have been around for the better part of a decade. However, it seems to have only started picking up traction in recent years. SIM swap fraud increased significantly in 2017 and 2018 but seemed to have cooled temporarily in the first half of 2019.
Over the summer, however, there was a criminal SIM swapping spree that targeted people within the cryptocurrency community. This is because SIM swap fraud is a highly profitable venture. Data from the Cisco / Cybersecurity Ventures 2019 Cybersecurity Almanac indicates that SIM swapping attacks have resulted in the theft of tens of millions of dollars’ worth of cryptocurrency.
An Example of a Real-Life SIM Swap Attack
Rob Ross, an Apple developer turned Silicon Valley businessman and blockchain / cryptocurrency investor, was one such unlucky victim. One million dollars, the majority of his life savings, was stolen from his accounts within minutes. What’s worse is that he was watching it happen in real time and could do nothing to stop it.
“I looked at my phone… and saw a withdraw request notification, and I thought ‘that’s odd, I hadn’t made a withdraw request,’” says Ross, who explains that the request came from one of his financial institutions. “I looked up from my phone to my computer and noticed that I was literally being logged out of my Gmail in real time. And I looked back down at my phone, I clicked through my lock screen and saw that I had no service. Not just no bars, but no service.”
The hacker — or hackers — ended up taking over his Gmail, his Dropbox accounts, and even his two-factor authentication (2FA) app, Authy. Having access to Authy provided the attacker(s) with a list of all the apps that Ross used the 2FA app to secure.
Ross says that even with his background as vice president of business development at two digital security companies, it didn’t prepare him for this type of attack.
“What happened to me can happen to anyone,” says Ross.
Everyone who has a cell phone is susceptible to SIM swap attacks — even celebrities and other hackers. Twitter CEO Jack Dorsey, a former hacker, recently made headlines when his Twitter account was taken over due to a SIM swap fraud.
How a SIM Swap Attack Occurs
SIM swap fraud can be performed by one person or a group of criminals working together to achieve their goal.
A SIM swap crime itself is typically a two-pronged attack:
- An attacker collects your personal information, such as your name, phone number, address, passwords, security question answers, and other personal information.
- The attacker uses that information to trick or convince an employee who works for your mobile provider into believing that they’re you. Then the criminal gets the employee to port your number to their device. Getting access to your basic information isn’t necessarily difficult considering that much of it has likely already been exposed during the data breaches that affected Experian, Yahoo, Marriott, and other companies in recent years. Cybercriminals also can find additional information about you via your social media accounts, by hacking old email addresses you no longer use, and through phishing and the use of social engineering tactics.
However, in some cases, the cellular service employees are too lax in their security requirements. Or, some hackers have been bribed or colluded with employees to get them to intentionally perform fraudulent SIM card swaps.
Regardless of how they get it, once the criminal has control of your cell phone number, they can quickly gain access to any accounts your phone number is connected to. Any text messages or calls that would normally go to your phone now go to the criminal’s phone. This means that if your phone number is linked to your email for authentication purposes, the attacker can effectively gain access to your email and lock you out of it. They can then use your email to change your passwords to any accounts linked to it, such as your banking or financial accounts. They also can use your mobile number to bypass any security measures such as 2FA and one-time verification codes for those accounts as well.
Ross says that the fraudulent SIM swap, the takeover of his accounts, and theft of his life savings took no more than 20 minutes. Because the hackers got access to his Dropbox, they also gained access to copies of his and his daughter’s driver’s licenses, birth certificates, and passports, which means that they both continue to be at risk of identity theft.
You’re Not Alone: There’s a Resource for Victims of SIM Swapping Fraud
As a result of the SIM swapping attack that affected him and his family, Ross decided to create a centralized resource with the goal of helping to prevent others from sharing his fate. The website, StopSIMcrime.org, aims to:
- Raise awareness about the entire realm of SIM crimes. The site talks about how the crimes work, what’s involved, and how you can protect yourself against them. The goal is to inform consumers and legislators alike about this growing problem.
- Serve as a victim resource and advocate. The site provides a variety of information and resources to victims, such as the ability to sometimes track the movement of the victims’ cryptocurrencies once they have been stolen.
- Effect change with mobile carriers to stop this from happening. The goal is to spur legislative change and court actions to get phone carriers to change their policies and enact technical and administrative solutions to prevent these types of crimes from affecting future victims.
How to Protect Yourself from a SIM Swap Attack
While you can’t 100 percent eliminate the risk of SIM swapping fraud, there are things you can do to protect yourself — or, at least, make it more difficult for criminals to achieve.
Create an Account PIN with Your Cellular Provider
Speak with your cellular carrier to ask how you can set up a personal identification number (PIN) or passphrase for additional security on your account. All four of the major carriers — AT&T, T-Mobile, Sprint, and Verizon — allow users to set up PINs that would be required for any major changes to accounts, including SIM swapping. Some carriers require their customers to set up such identifiers whereas for others, it’s optional.
The key to setting up an effective PIN is to use one that is unique to this account and hasn’t been used for another account. This helps to ensure that even if a phisher has been able to collect personal information about you, they won’t know that unique identifier.
Also, ask your phone carrier if there is an available option to set up a secondary PIN strictly for SIM swapping capabilities.
T-Mobile Users May Be Able to Activate NOPORT
In addition to setting up a port validation PIN for security, there may be a service available to some T-Mobile users that’s not often mentioned. Called NOPORT, Vice reports that this service requires a customer to physically visit a T-Mobile store and provide a government-issued ID before they can perform SIM swapping on their customers’ devices.
Call and Ask Your Cell Carrier to Make Notes on Your Account
This may or may not work, but it’s worth a shot. Ask your mobile carrier to notate on your account that any SIM swapping must occur with you being physically present with a government-issued ID card at one of their brick-and-mortar stores. Although a criminal could create a fake ID and show up at the store, it’s less likely that they will do so.
Increase Your Cybersecurity Awareness
Educate yourself about the most common cybersecurity threats. Visit StopSIMcrime.org and use other resources to learn about the tactics criminals use to get victims to provide personal or financial information. This can include email phishing or over the phone voice phishing (or what’s known as “vishing”). To help protect yourself from SIM swap fraud and other cyberattacks, here are a few cybersecurity best practices to adopt:
- Create unique passwords, PINs, and security question responses for every account. Don’t share passwords and PINs on multiple accounts and regularly change them.
- Delete old email accounts you no longer use.
- Avoid engaging with unsolicited emails, texts, and phone calls.
- Don’t click on links or files in emails or text messages.
- If you receive a call from someone claiming to be from the government or another organization, hang up and reach out to them using an official number you find through an official source.
- Avoid sharing your personal information via social media and other online accounts.
What to do if You are the Victim of a SIM Swap Attack
If you believe that you or someone you know are a victim of SIM swap fraud, change any passwords and account security questions that you can as soon as possible starting with email and bank accounts. However, it’s vital to ensure that any confirmation numbers or code aren’t sent to your phone number. Otherwise, the hacker will simply use that information to undo any changes you’ve made to your accounts and lock you out.
Contact your cellular service provider, your local law enforcement, the FBI’s Internet Crime Complaint Center (IC3), and the Federal Trade Commission (FTC) via its IdentityTheft.gov website to make official reports.
Contact all of your financial and banking institutions to put holds on your accounts. If you’re concerned that your Social Security number may have been compromised, reach out to all three credit bureaus to have them freeze your credit and flag any suspicious activity.
– Casey Crane is a freelance writer.
Connor Morgan, a freshman at Suffolk County Community College, and a part-time researcher at Cybercrime Magazine, contributed to this story.