SIM swapping occurs when an attacker calls a mobile provider and tricks the telco into changing a victim’s phone number to an attacker-controlled SIM card. SIM cards (Subscriber Identification Modules) store information on servers about a subscriber’s identity and are what allow users access to the mobile network. Aside from making it impossible to make or receive calls and text messages, SIM swapping allows fraudsters to access your contact list, emails and potentially your banking information. It may seem like it can’t happen to you, but it can. The fraudsters use social engineering techniques to trick the telcos into believing they are “you.” They may also use social engineering to trick you into giving them the information they need to call the telco and swap the SIM. A recent ZDNet article breaks down a Princeton University study that tested 5 major US telcos to see if they could trick telco employees into SIM swapping. All 5 telcos were tricked into swapping the SIM cards, even after they were unable to verify the PIN number associated with the account. This is where the social engineering comes in. As they didn’t have the PIN number, the attackers were asked what the phone numbers were for the last two outgoing calls: “An attacker could trick a victim into placing calls to specific numbers. For example, a scenario of ‘you won a prize; call here; sorry, wrong number; call here instead.’” This isn’t just a US problem. The Ontario Provincial Police (OPP) have been warning residents about the dangers of SIM swapping. Recently, a Brighton resident had her number stolen. The Canadian Bankers Association has also posted tips on how to protect your bank account from SIM Swapping. Some best practices for protecting your phone number include:
- Don’t publish your phone number on any of your social media profiles and limit the amount of personal information you post online like your birthday, elementary school names, or your pet’s name. Fraudsters can use these clues to answer common identification questions and impersonate you.
- Set up a passcode/PIN with your service provider to access your phone for any online or phone interactions. Do not use the same PIN as you use for other accounts, like your bank account.
- Don’t use the same passwords or usernames across multiple accounts. Always create a strong, unique password for your sensitive accounts. If you use two factor authentication (2FA), it is wise to move away from SMS based 2FA to an app based system.
- Do not answer phishing emails or text messages asking to confirm a password or update account information.
- If you lose mobile service on your device, contact a service provider immediately