Smartphones are more or less a commodity these days. They play an important role in many people's everyday lives for everything from entertainment and storing notes and photos to banking, emails and private messages. That's probably why many people know the panic that can set in when they can't find their phone. With SIM swapping, however, you don't have to physically lose your phone for others to access its contents.
In short, SIM swapping, also known as SIM fraud, involves a fraudster gaining access to an active SIM card attached to an existing telecom subscription. This also gives them control over all your personal accounts and allows them to launch a series of cyber attacks. Read on as we explain how a fraudster can take over your number - and why it's unfortunately difficult to prevent as a private individual.
How SIM swapping works
SIM swapping is when a fraudster pretends to be you and contacts your phone company. They approach the company with a request to assign your phone number to a new SIM card they have already purchased, or to activate a new SIM card. For example, they may say that the original SIM card broke or disappeared when "you" sold your phone.
Perhaps you're wondering how it's possible for a fraudster to gain access to your account through your telecom company? Unfortunately, in the past this has proved to be widely possible, as photo ID has not necessarily been required. It will also rarely deter the fraudster if it is required to verify identity with other identification such as the last four digits of your social security number, a pin code or security questions. We will come back to how they can access this sensitive information.
This is a form of identity theft, as the fraudster pretends to be you and gains access to your private information and therefore private accounts.
In very simple terms, the fraudster disconnects your number from your phone by associating your number with the new SIM card in their own phone.
They can then access your accounts and reset your passwords, as they also have control over two-factor authentication, as in many cases such one-time passwords will be sent to your number in a text message. After that, there is no limit to the accounts and private information they can get their hands on.
Security risks of data breaches
As mentioned above, the fraudster may already have prior knowledge of private information about you, such as your social security number or PIN. They can do this because you may have been involved in a data breach where your sensitive data was leaked.
Data breaches are particularly dangerous if your different information appears in several different data breaches. For example, your name may appear in one data breach, your date of birth in another, your email address in a third and your phone number in a fourth. In isolation, this may not seem alarming to you. But ultimately, the hacker can piece together the puzzle and get just the information they need to take over your accounts and your digital life.
How do you know you've been SIM swapped?
If you're a victim of SIM swapping, you'll notice your phone starting to behave strangely. You'll most likely find that you can't make or receive calls or texts, and if you're on wifi, you'll find yourself receiving emails about changes to your accounts.
You may also notice your social media accounts being hacked or inappropriate activity on your bank account.
Overall, you detect SIM swapping by identifying unwanted activity that you don't recognise yourself. It's important to react quickly here, as it can quickly develop into the hacker taking over all your accounts and your entire digital life. Below, we've put together some security measures you can consider to prevent SIM swapping attacks, as well as what to do in case it has already happened.
What can you do to minimise the risk of sim-swapping?
While it can be difficult as an individual to prevent SIM swapping from taking place, we do have some advice that can help increase your overall security.
How to prevent sim-swapping
First of all, you can take the following preventive security measures:
Create a new PIN for your SIM card. Make sure the code is unique and that only you know it. This means that you should not use your date of birth, year of birth, postcode or social security number as your PIN, as studies show that many people typically do, as this is information that could potentially turn up in a data breach and thus reveal your code.
Keep your online profiles private. A lot of personal information can be freely available when you have a publicly open profile, without you even thinking about it. This could be information such as your date of birth, etc., which could be exploited in a hacker attack.
Speak to your telecom company about what security measures they take. They may already have guidelines in place to minimise the risk of SIM swapping - and if not, this may be something they need to introduce if more and more customers demand it. For example, many companies offer extra security for your account in the form of an extra security code that you have to provide in-store or over the phone if you want to make changes to your account.
Turn off reset texts. Some mail providers let you reset your password via a text message, which is precisely why SIM swapping and a stolen phone number can be such a problem. But by disabling your phone number as a reset option, you make this type of attack impossible. Instead, you can, for example, have another email account as a backup, so the resetting is done through that account.
Use better two-factor authentication. If you want to increase your security, it's also a good idea to use a form of two-factor authentication other than SMS. This can still be a problem even if you have turned off SMS reset. The hacker could have your password and still access your account through two-factor authentication via SMS. Fortunately, there are other two-factor solutions. For example, many services allow you to print out two-factor codes, similar to the old paper cards you may know from Danish NemID, which you can then use instead of SMS codes. Alternatively, you can buy a hardware key. Whichever method you choose, remember to turn off SMS in your account settings.
In case the damage has already been done, you should:
- React quickly and contact your telecom company. The faster you react, the more likely you are to mitigate the damage. It is important that the SIM card is closed as soon as possible so that the third party (hacker) is stopped in his attack.
SIM swapping is just one of many methods used by cyber criminals in cyber attacks. It can be difficult to protect yourself completely against it, as it also depends on the security of your telecommunications company.
SIM swapping is thus one of many risks of having a digital life. In general, we encourage you to do everything you can to prevent cyber attacks rather than waiting until the damage is done and your information has been leaked in a data breach, for example. Moxso helps you keep an eye on this through our data leak monitoring, where we notify you if your information has surfaced in a data breach.
You can also read along in our blog post on how to create strong passwords, where we provide our best advice for creating strong passwords and explain why they are important for your cyber hygiene.
Emilie Hartmann is a student and copywriter at Moxso, where she is a language nerd and always on the lookout for new and exciting topics to write about. She is currently doing her Master's in English, where she is primarily working in the fields of Creative Writing and Digital Humanities.