What Is SIM Swapping?
SIM swapping, or SIM hijacking, occurs when attackers take control of your mobile number. They trick your cell phone provider into transferring your number to their mobile device.
The attacker then uses your phone number to access other online accounts that belong to you. Using text messages, they “recover” access to accounts (like your Gmail) in concert with other information that they have gathered about you from phishing emails, SMS two-factor authentication (2FA), or leaked data from the Dark Web.
In turn, they can easily gain access to:
- Bank accounts
- Social media accounts
- Cryptocurrency exchange accounts
Port-out fraud is often confused with SIM swapping, but they are two different things
- Porting fraud occurs when a scammer transfers your number to another service provider.
- SIM swaps refer to transferring your account to a scammer's new SIM card.
There are instances in which you may have a legitimate reason to request a duplicate SIM. If your existing SIM chip malfunctions or if you somehow misplaced the SIM, your carrier’s support team can map your phone number to a new card’s Integrated Circuit Card Identifier (ICCID).
If you’re switching to a new carrier but are still in the same geographic area, simple port-outs can be completed in a day.
How Do You Authenticate a SIM Swap?
How can an attacker impersonate you and swap your SIM so easily? SIM swap attacks are so successful because carrier representatives are easy to trick.
The attacker can call your provider’s support line, offer a plaintive story about losing your SIM card, and get them to transfer your number. If the attacker feels threatened, they can just hang up and try again with another agent.
An empirical study by Princeton University documented six authentication challenges that attackers must overcome to complete a SIM swap:[*]
- Personal information: Street address, email address, date of birth.
- Account information: Last four digits of a payment card number, activation date, last payment date and amount.
- Device information: IMEI (device serial number), ICCID (SIM serial number).
- Usage information: Recent numbers called (call log).
- Knowledge: PIN or password, answers to security questions.
- Possession: SMS one-time passcode, email one-time passcode, or other multi-factor authentication (MFA) code.