The SIM Swap Attack :  Addressing This Identity Fraud Problem

The techniques to steal a user’s data continues to become more innovative, as it advances with the pace of technology. If there is a way to get into the system, the most persistent will find a way. Unfortunately, it is not always for the greater good. One type of attack that can compromise a user’s identity is the SIM Swap Attack.

This attack makes use of customer support in the telecom service provider’s system, which can allow a bad actor to take over an account. This is through a social engineering method that tricks a mobile (i.e. wireless) provider’s customer service into switching a user’s phone number to another SIM card.

SIM (Subscriber Identity Module) cards provide user access to a mobile network. Before a user can use their smartphone, they must have a SIM card activated with a valid number in order to communicate. The SIM card stores information like the IMSI (International Mobile Subscriber Identity) and its key. This is the way mobile providers identify and authenticate their subscribers. A user who wants to use a mobile service (e.g. Verizon, T-Mobile, AT&T) must have a SIM card installed on their smartphone.

SIM Swap is not the same as another technique called SIM Clone. Cloning a SIM card is much different in the way it is performed. SIM cloning requires physical access to a SIM card, from which an attacker can duplicate key information.

While a SIM Swap attack is performed through social engineering methods, a SIM clone is performed using software that can copy the IMSI and master encryption key to another SIM card. A SIM Clone Attack can also be performed over the air to target the victim remotely. They both have the purpose of taking over a user's mobile account.

The problem is that this type of attack can be easily performed. The hacker or bad actor just needs to know public information about the user like their phone number. They can then use that information to transfer a phone number to another SIM card using customer support.

If enough information is known about the user, they can convince customer support that the caller is the actual user who owns the account. This can then lead to the transfer of the phone number data to a different SIM card, allowing the new user to use it to gain access to the actual user’s personal data. 

In a successful SIM Swap Attack, a bad actor not only has access to the user’s service but also can gain access to a user’s personal accounts. This is because many online accounts use a form of 2FA (Two-Factor Authentication) which uses a phone number.

The phone number is usually where a text message authorization code is sent that allows a user to make changes to their account. Examples of this include changing passwords, personal data, deactivating a user account or accessing a user's e-mail account. Once a bad actor has access to the user’s e-mail account they can do plenty of harm, like stealing information that is contained in e-mail messages.

Since many apps used for banking, online retail, social media, e-mail and even medical records are connected to a smartphone, this attack also leads to identity fraud. This results in data theft, impersonation to access services and worst of all when the phone information is in another user’s hands that user can send messages, make payments and make calls as if they were that user. This also allows bad actors access to personal property like digital assets on a user’s exchange account.

If you have not yet been compromised yet, the best preventive measure is to use a different form of 2FA. Instead of having codes sent via SMS (text message), install an app-based code generator instead. A popular one is Google Authenticator. The security it provides is much better than having codes sent via text. App-based code generators require the user to have access to the physical smartphone.

This thwarts a bad actor who may have access to the user’s phone information but not access to the actual smartphone. The code is generated by the app only within the smartphone. It cannot be generated remotely by another user. Many websites do support this type of authentication instead of providing a phone number.

Securing your phone with a basic PIN or password always helps. Users can request this from their mobile service provider. It is best to ask your store representative (where the smartphone was purchased) or call the mobile provider’s customer support to ask for further details. When choosing a PIN or password, it should not be easily guessable. Use a convention that is easy to remember, but hard enough for others to guess.

Backup all personal data and information stored online. When an account gets hacked and locks the user out, at least with a backup they can restore the files to a new account. It is worse if there exists no backup and this could lead hackers to extort money in return for personal data. Even worse, their purpose could be to destroy the data. Having off-line and online backup copies of files is good to have in case of incidents like this.

If you suddenly stop receiving texts and voice calls to your phone or suddenly realize you don’t have service, contact the mobile provider immediately. Inquire about activity regarding the account’s phone number and whether there were recent changes made. Request a freeze on the account so that no one can use that number for making calls or receiving text messages. The provider will deactivate the SIM card upon your request (once it has been verified). 

Perhaps the most important thing to do if you have been compromised by SIM Swap is to change the password on all your accounts for good measure. Have the mobile provider freeze the account temporarily.

Unfortunately, if the hacker has already changed the password, this will be much harder to do. It will require a user to provide more proof of their identity to be able to recover their hacked account. At this point, it might be best to create a new e-mail account rather than try to recover the old one. That is not the best solution though, since an e-mail account could contain numerous contact information that has not been memorized. The account could also store important personal information.

If the authorities need to be involved, report it to the police, the FTC or consult with a lawyer. If the data is sensitive enough to require further investigation, then requesting help with computer forensics will be helpful. If the damage has already been done, then the user must prove that they were not the one who caused it. That requires proof from a police report or some form of documentation (consult with a lawyer regarding these cases). It is important to preserve your integrity and reputation due to identity theft.

The good news is that not all SIM Swap Attacks will be successful. Customer support agents have become aware of this problem. If further information is required to make changes to an account, and the hacker does not know it, it will certainly prevent further access. If a security code is required from a code generator that is on the actual smartphone, it should thwart the attack. It will be even harder if a code is also sent via e-mail, which a hacker may not have access to. 

Stronger identity verification and protection will be required to make attacks like this more difficult. While it may take more time and is quite an inconvenience for users, the more layers of security there is the stronger the protection. The important lesson in all this is to not use your phone number for authentication purposes. Since it is public information, the bad news is that it can be used to gain access to personal accounts.