SIM swapping is not a new problem. It’s long provided criminals with the ability to take over a mobile device and gain access to data and even funds. But you don’t need to be a cyber security expert to combat it – just four simple steps can substantially reduce the risk.
What is a SIM card?
SIM cards are what make mobile phones work. A SIM is a chip within the mobile phone that identifies the subscriber and enables them to connect their device to a mobile network.
Swapping SIM cards is a common and legitimate occurrence. A customer might have a new device, have lost or damaged their SIM, or may need to transfer the SIM to a backup handset because their phone ran out of charge or is faulty.
However, although the SIM is a stable and relatively secure platform in itself, the ability to change SIMs provides an opportunity for criminals.
What is a SIM swap attack?
There are various ways criminals can perform a SIM swap attack. They might, for example, have access to an ‘insider’ – someone who works for a phone store or in a service provider’s call centre – or they may be able to use information they’ve gleaned about you to impersonate you and trick a call centre representative into thinking they are you.
Once the criminal gets the mobile operator to give them control of a phone number, they can lock you out of your own account, change passwords, use your data plan and receive phone calls sent to you. They’ll also be able to access your new and previous text messages.
This is the holy grail for cyber criminals because two-factor authentication (2FA) – where a one-time password (OTP) is sent to your mobile device by the application owner – is now used for the majority of applications, especially those deemed critical.
But if a cyber criminal can hijack your mobile account via a SIM swap attack, they can request new OTPs, or potentially use ones already provided, giving them access to your other accounts (such as bank accounts). Once they’ve gained access to these they can change passwords, transfer funds or do anything a legitimate user could do.
How to protect yourself
The cyber criminal is actually targeting companies (the mobile operator, the bank etc) and the vulnerabilities in their systems to execute SIM swap attacks. But this doesn’t mean you can’t take steps to protect yourself. At least the first two of the steps below can be done immediately.
- Put a PIN on your SIM – most devices require a PIN or biometric authentication to gain access to the device, so why not add an additional (different) PIN for the SIM? Giving your SIM a PIN provides two layers of enhanced security. It means that each time the SIM is inserted into your phone or a new phone, or if the phone is restarted, a prompt will ask for the SIM’s PIN. Without this PIN, the user won’t be able to access the account the SIM is linked to. Giving your SIM a PIN means that anyone who steals your phone and has physical access to your SIM can’t access your mobile account and its text messages, even by removing it from your phone and sticking it into another phone.
- Use an Account PIN with your mobile carrier. Some service providers will insist you set up an account PIN; others will leave the choice to you. It’s important that you make the effort to set one up to protect your data and associated valuables. If an Account PIN is set up, it makes it far more difficult for criminals – since the PIN will be required before a SIM swap can take place. You can set up an account PIN at any time, not just when you open your mobile account.
- Use an authenticator app. Don’t disable 2FA, just find an alternative to get the OTP. For example, use an authenticator app rather than text messaging to get your 2FA OTP codes. 2FA authenticator apps work by keeping six-digit codes for compatible accounts in-sync on your phone and on the company’s servers. When you log into any one of these accounts with your login and password, you’ll be asked to enter the six-digit code from the authenticator app – there’s no need for the company to text you the code. Google, Microsoft, Amazon, Facebook, Twitter and other companies let you use their apps, or other authenticator apps, to help secure your accounts (check this link for other paid apps). A single authenticator app can handle all your authentication codes, no matter how many different accounts you use.
- If you can’t use an authenticator app use email. Although many of the larger service providers allow you to use authenticator apps, not all providers and businesses do. Where the use of authenticator apps is not supported, you should check to see if the account supports 2FA via email. Receiving 2FA codes via email protects you from SIM swapping scams, because even if crooks have access to your phone number and text messages, they won’t have access to the login credentials for your email account. If you go down this route, set up a dedicated email address for your OTPs and protect this account via an authenticator app – or the prompt-based authentication offered by Apple and Google – so that a SIM swapper can’t break into your email and copy any 2FA codes being sent there.
Cyber criminals and scammers use consistent methods to gain access to your credentials via SIM swapping attacks. There are now lots of new offerings on the market that service providers and other organisations can adopt to overcome the frailties of two-factor authentication and one time passwords. But don’t wait for them to adopt these methods, act today. The very simple but effective methods described above go a long way to making things more difficult for cyber criminals and scammers – helping to protect your SIM and account until organisations roll out more secure methods of authentication.