What is SIM Swapping? (and how to avoid this attack)

“SIM Swapping” is a malicious attack targeting your mobile carrier that allows the attacker to gain control of your phone number to intercept any 2-step authentication or verification codes that may be sent via SMS text. Learn more about your SIM (subscriber identity module), what this sim swap fraud looks like, and how you can avoid it here.

According to an FBI report in 2021, the SIM swap scam on your mobile device, also known as “SIM jacking,” continues to rise.

Even after numerous high-profile cases, such as the successful attack against Jack Dorsey, then-CEO of Twitter, SIM swapping continues to be a problem.

In the US, there is an effort by the FCC to combat this vulnerability, but it’s unclear when – or even if – this will turn into anything useful. The bottom line is this:

If you want to protect your mobile phone against SIM swap fraud, you need to take a few easy steps to do so.

Before we jump into the steps you can take to avoid a SIM swap fraud, let’s first explain exactly how SIM swapping works, and why SIM swapping is so dangerous, especially with SMS text verification codes.

What is a SIM Card?

A SIM card, which stands for “Subscriber Identity Module,” is the little card that your mobile carrier gives you to put into your phone.

Without this SIM card, your phone is unable to connect to a cellular network to make phone calls, receive text messages or access mobile data. The only way you could use such a phone would be by connecting to Wi-Fi.

In other words, a SIM card is what a mobile carrier uses to provide service to your phone.

In newer phones you can get an eSIM for international travel instead of a physical SIM card, but it still works the same.

SIM Swap Guide | How Does it Work?

To get a better understanding of what is a SIM swap attack and how it works in real life, let’s consider a fictitious character by the name of “Sandy”.

Sandy is your typical internet and phone user who hasn’t taken the time to increase privacy on her Facebook account and uses the most basic of 2-factor authentication on her financial accounts: SMS text.

One day, while Sandy is going about her own business:

• The Research Phase: Somebody on the other side of the world starts gathering mobile data on Sandy. They either purchase her data that has been stolen and put up for sale on the dark web, or they look at her public Facebook page.
• The Impersonation Phase: The attacker calls her mobile phone carrier (AT&T, Verizon, Virgin, etc.) claiming to be Sandy, and tells the customer support agent that she (Sandy) has lost her phone along with the SIM card. The customer support agent asks several verification questions that include their email address (which the attacker bought online), her mother’s maiden name (which the attacker found on Facebook), and her address (which was also easily found online).
• The SIM SWAP: Once convinced that the attacker is actually Sandy, the customer support agent for the mobile carrier moves the phone number from Sandy’s current phone SIM card to the attacker’s phone. Sandy’s phone can no longer send or receive phone calls and texts.

• The ATTACK: Now that the attacker has control of Sandy’s phone number, they will go around to her bank accounts, her email, and her social media accounts and other online accounts to request an account reset and gain access. Many of these companies will verify using a text message code which is now being sent to the attacker’s phone number instead of Sandy’s.

Before Sandy even realizes that her phone can no longer make phone calls or send texts, she has now lost access to her online accounts because of this SIM swap fraud. And the attacker didn’t even need access to her physical SIM card in order to gain access to these accounts!

What Makes SIM Swapping Dangerous?

As you can tell from the example above, a digital SIM swap has the potential to be very dangerous. A few of the reasons for this include:

• Sim swap attacks can be done remotely. This means that cybercriminals don’t necessarily have to steal or touch your phone to do a SIM swap. They don’t have to remove your SIM card and put it in their phone.
• It’s not simple to detect. After an attack, it may take some time before you realize that you can’t make a phone call anymore or you just aren’t receiving text messages.
• It’s surprisingly easy to do. In 2020, researchers at Princeton University found that out of 50 attempts to do a fake sim swap, 39 of them were successful. That’s around an 80% success rate.

Different mobile carriers are implementing different sets of security measures to protect against SIM swapping, but the attack persists.

Why?

For one simple reason: the weakest link in this chain is the customer support agents who are usually not well-trained nor well-paid

Call center employees aren’t the highest paid or well-trained, which makes them a prime target for the SIM swap scam.

How YOU Can Avoid Being SIM Swapped!

What is a SIM swap? Hopefully we’ve been able to answer that thoroughly for you. There are many steps you can take to prevent SIM swapping, some of which include the following:

• Don’t use SMS text as a 2FA verification process. If possible, use authenticator apps like Google Authenticator for your 2FA verification process. If you want more security, you can invest in a physical two-factor authentication key. I prefer and recommend the YubiKey
• Call your mobile phone provider. Ask your phone provider about what protections they’ve put in place. You may achieve better account security with a PIN code or add extra security questions. While these measures aren’t fool-proof protection, it’s still better than nothing.
• Set a PIN for your SIM card. Some carriers allow you to set a PIN for your SIM card which could help. But be careful because if you do it wrong, you can actually lock yourself out of your SIM card.
• Don’t give real answers to verification questions. Whenever you’re asked for information used to verify your identity, don’t tell the truth. Make something else up or write the answer backwards.

That last tip is important for SIM swap attack prevention!

If you’re asked to provide your mother’s maiden name or the name of your first dog, it’s better to come up with fake answers that you always use instead of the real answers that can often be found online.

Of course, you could opt to use encrypted SIM cards as a protection against SIM swapping instead.

Secure Mobile Carrier Alternative (Efani)

If mobile privacy is a serious concern for you, there are lesser-known alternatives like Efani.

Efani is one of the best secure mobile providers in the US that offers the best encrypted SIM card that adds another layer of security to your mobile phone by replacing your current phone service plan. You can get a new number or you can port your phone number to their service which operates on top of the AT&T network in the United States.

What are the benefits of paying for this kind of security and privacy service? In this truncated Efani review, I’ll share what they offer:

• Protect Against ALL SIM Swaps: They offer an 11-layer authentication process that pretty much eliminates any risk of a SIM swap attack;
• Insurance protection: Because of this authentication process, they’re able to offer $5 million in insurance against any losses related to SIM swap fraud that leads to identity theft.
• Privacy: Even more than that, I like the fact that AT&T does not have my personal information. As far as they are concerned, Efani is their customer and not me.

An encrypted SIM card is not a solution that works for everybody, but you can learn more about whether it is a good option or not for you in our in-depth Efani review.

Watch the full SIM Swap Video

Be sure to subscribe to the All Things Secured YouTube channel!