“SIM Swapping” is a malicious attack targeting your mobile carrier that allows the attacker to gain control of your phone number in order to intercept any 2-step authentication or verification codes that may be sent via SMS text. Learn more about what it is and how you can avoid it here.
Better Mobile Security and Privacy!
According to an FBI report in 2021, SIM swapping cases continue to rise.
Even after numerous high profile cases, such as the successful attack against Jack Dorsey, then-CEO of Twitter, SIM swapping continues to be a problem.
In the US, there is an effort by the FCC to combat this vulnerability, but it’s unclear when – or even if – this will turn into anything useful. The bottom line is this:
If you want to protect your mobile phone against SIM attacks, you need to take a few easy steps to do so.
Before we jump into the steps you can take to avoid a SIM swap, let’s first explain exactly how SIM swapping works, why SIM swapping is so dangerous, especially in relation to SMS text verification codes.
Anatomy of a SIM Swap
To get a better understanding of how a SIM swap attack works in real life, let’s consider a fictitious character by the name of “Sandy”.
Sandy is your typical internet and phone user who hasn’t taken the time to increase privacy on her Facebook account and uses the most basic of 2-factor authentication on her accounts: SMS text.
One day, while Sandy is going about her own business:
- The Research Phase: Somebody on the other side of the world starts gathering data on Sandy. They either purchase her data that has been stolen and put up for sale on the dark web, or they look at her public Facebook page.
- The Impersonation Phase: The attacker calls her mobile phone carrier (AT&T, Verizon, Virgin, etc.) claiming to be Sandy and tells the customer support agent that she (Sandy) has lost her phone. The customer support agent asks a number of verification questions that includes email address (which the attacker bought online), her mother’s maiden name (which the attacker found on Facebook) and her address (which was also easily found online).
- The SWAP: Once convinced that the attacker is actually Sandy, the customer support agent moves the phone number from Sandy’s current phone to the attacker’s phone. Sandy’s phone can no longer send or receive phone calls and texts.
- The ATTACK! Now that the attacker has control of Sandy’s phone number, they will go around to her bank, her email, her investment accounts and request an account reset. Many of these companies will verify using a text message code which is now being sent to the attacker’s phone.
Before Sandy even realizes that her phone no longer works, she has now lost access to her online accounts because of this SIM swap attack.
What Makes SIM Swapping Dangerous?
As you can tell from the example above, SIM swapping has the potential to be very dangerous. A few of the reasons for this include:
- Attack can be done remotely. This means that cyber criminals don’t necessarily have to steal or touch your phone in order to do a SIM swap.
- It’s not simple to detect. After an attack, it may take some time before you realize that you can’t make a phone call anymore or you just aren’t receiving text messages.
- It’s surprisingly easy to do. In 2020, researchers at Princeton University found that out of 50 attempts to do a fake sim swap, 39 of them were successful. That’s around 80% success rate.
Different mobile carriers are implementing different sets of security measures to protect against SIM swapping, but the attack still persists.
For one simple reason: the weakest link in this chain are the customer support agents who are usually not well-trained nor well-paid.
How YOU Can Avoid Being SIM Swapped!
There are a number of steps you can take to prevent SIM swapping, some of which include the following:
- Don’t use SMS text as a 2FA verification process. If possible, use authenticator apps like Google authenticator or Authy for your 2FA verification process. If you want more security, you can invest on a physical 2FA key. I prefer and recommend the YubiKey.
- Call you mobile phone provider. Ask your phone provider about what protections they’ve put in place. Perhaps you can secure your account with a PIN code or add extra security questions. While these measures aren’t fool-proof protection, it’s still better than nothing.
- Set a PIN for your SIM card. Some carriers allow you to set a pin number for your SIM card which could help. But be careful because if you do it wrong, you can actually lock yourself out of your sSIM card.
- Don’t give real answers for verification questions. Whenever you’re asked for information used to verify your identity, don’t tell the truth. Make something else up or write the answer backwards.
That last tip is IMPORTANT! If you’re asked to provide your mother’s maiden name or the name of your first dog, it’s better to come up with fake answers that you always use instead of the real answers that can often be found online.
Secure Mobile Carrier Alternatives (Efani)
If mobile privacy is really a serious concern for you, there are lesser-known alternatives like Efani.
Efani is a service that adds another layer of security to your mobile phone by replacing your current phone plan. You can get a new number or you can port your phone number to their service which operates on top of both AT&T and Verizon networks in the United States.
What are the benefits of paying for this kind of security and privacy service?
- Protect Against ALL SIM Swaps: They offer an 11-layer authentication process that pretty much eliminates any risk of SIM swaps;
- Insurance protection: Because of this authentication process, they’re able to offer $5 million insurance against any losses related to SIM swaps.
- Privacy: Even more than that, I like the fact that AT&T and Verizon don’t have my personal information. As far as they are concerned, Efani is their customer and not me.
It’s not a solution that works for everybody, it’s worth checking out Efani.
Be sure to subscribe to the All Things Secured YouTube channel!