What is SIM swapping and why you should be concerned
What is SIM swap?
Telco customers do it all the time for perfectly legitimate reasons. Unfortunately, so do cybercriminals, and for all the wrong reasons. This article explains both sides of SIM swapping and how Infobip can help protect you, your business, and your customers from external threats.
Is SIM swapping legal?
There are plenty of reasons why you would SIM swap. Say you’ve lost your phone or bought a new one – but your old SIM card doesn’t fit. Or maybe your SIM card got damaged, or you got a better deal with a new operator. When done for reasons like these, SIM swapping is entirely legitimate.
Thanks to SIM swap and mobile number portability services, your phone number sticks with you for years, even decades. You don’t need to go through the hassle of alerting everyone that you’ve changed your phone number; you simply get a new SIM, port your number to another operator and carry on with your life.
What is SIM swap fraud?
SIM swap fraud abuses the legitimate process of swapping SIMs and results in fraudsters stealing data, money and in many cases the end-user’s identity.
The time of phones serving only as a means of communication is long gone. Today, you use your phone to contact and store email addresses, bank accounts, social network accounts, cryptocurrency accounts – just about everything about you.
Important or private accounts on your phone likely offer you two-factor authentication (2FA), which relies on your phone number. Although 2FA is meant to keep you safe, in practical terms, this means that a single, publicly available piece of information is used for your identification and verification.
SIM swap fraud happens when cyber criminals contact MNOs pretending to be a customer and trick them into activating a new SIM card with the customer’s phone number. Once this is done, the scammer has full access to the end-user’s phone and information. Every one-time-pin (OTP) and 2FA message that is sent to that specific number is received by the fraudster.
Scammers do this by taking advantage of SIM swapping. Through loopholes in a completely legitimate process, cybercriminals can get access to all your accounts.
How does SIM swap fraud work?
Social media has become a regular part of life. Sharing details about your life online to your friends and family seems harmless enough, but without taking precautions, your post, photos and interactions online can make you vulnerable to identity theft.
People are often concerned about high value information being leaked, such as account numbers, passwords and social security numbers. What they fail to realize is that often hackers need the simplest information about your life to be able to successfully hack your accounts or steal your identity.
In 2021, Meta had a major data breach that resulted in half a billion accounts being affected. Hackers were able to access heaps of phone numbers and successfully match them to names, birth dates and genders.
Users who attached their phone number to their Facebook account were at risk of having their identity stolen through SIM swap. Anyone with a public profile and who enabled the “search by phone number” feature was an easy target.
Users are encouraged to change their profiles to private, adjust their privacy settings to reduce the number of people who can find you online and change their passwords to reduce the risk of SIM swapping.
SIM swap fraud examples
1. Social Engineering
Scammers mastered the art of deceiving people into giving up confidential information. The type of information these criminals are after can vary, as can the methods they employ to gain said information. But it all boils down to gaining access to your passwords and personal data. Scammers will often follow your activity on social networks and get to know everything about you – including the street you lived on, the name of your first pet, and who your best childhood friend was.
2. SIM swap
You may be asking yourself how someone can access your SIM card, and the answer is – quite easily. By doing their homework and collecting your info, they can simply call your mobile operator pretending to be you. They already know your full name, birthday (remember all those Facebook posts?), your pet’s name, your kids’ names, your address – just about anything they need to trick someone into thinking they’re you. If they’re not skilled at acting, they can bribe someone at the store to give them a copy of your SIM card. And just like that, you’re no longer the sole owner of your mobile phone number.
The final, ultimate step in this process is performing a fraudulent act. By receiving your OTP, or any other mobile-phone-related verification method, the fraudster can easily access your email and change your address.
By step three, it’s too late for you and your data.
Not too long ago, this was a concern reserved mostly for people with a lot of money in their accounts. This situation has changed.
Fraudsters are diversifying their portfolio and mitigating risk by taking over the accounts of regular people, like you and me, even our kids. Children are easy targets for identity thieves because they don’t use their own credit cards and likely wouldn’t notice any discrepancies until they reach adulthood.
In under 30 minutes, fraudsters can swap your SIM card and take over your accounts, transfer your money to themselves and take away your life savings. And they won’t stop there – they’ll take your entire identity.
SIM swap fraud vulnerabilities
SIM swap fraud exposes you, your contacts and organizations to multiple vulnerabilities. Once fraudsters gain control of your number, these are the most common threats they pose:
Fraudsters can contact your contacts to gather personal information, which can be used in further attacks and takeovers.
Most commonly, the purpose of SIM swap fraud is to takeover the target’s accounts. Fraudsters use SIM swaps to gain access to your accounts by hijacking your 2FA. This can include your social media, online store accounts – and even mobile banking.
Fraudsters can access your online store accounts and use any saved data to treat themselves to whatever they like – courtesy of your credit card.
Malicious attackers can take control of numbers belonging to managers, executives or heads of organizations and commit seriously costly corporate attacks.
SIM swap fraud detection
Users may notice some unusual activity on their phones. Most likely, phone calls and text messages won’t go through, and they will notice email notifications that their account passwords have been reset.
Friends and family may notice some odd posts or messages on social media that don’t match up to the typical behavior of the end-user that’s been hacked.
The worst part about SIM swapping is that you won’t know it’s happened to you before it’s too late.
SIM swap fraud prevention
How to prevent SIM swap fraud
There are two main ways users can protect themselves:
First, change your social media accounts to private to lower the risk of your information being leaked during a data breach.
Second, changing your passwords and PINs and making them more complex can help reduce the risk of hackers getting into your accounts. Don’t use any personal information in your passwords such as birthdays, anniversaries, or names. This goes for social media and mobile provider accounts as well as online banking accounts.
How operators can prevent SIM swap fraud
This means that if the SIM card was recently activated, the telco provider will be immediately notified and able to take fast action. Using up-to-date insights, MNOs can quickly compare the data they’ve collected from their customers in the past and compare it with the data coming from the new SIM card, flagging fraudulent activity.
Download our white paper
Mobile authentication keeps you and your customers, as well as their accounts, protected. To find out more, download our white paper, “Mobile Authentication: The Future of Mobile Security and User Engagement”.