What is a SIM Swap Attack and How can I Protect Myself?

Even with the added layer of security of Two-Factor Authentication (2FA), cybercriminals are still finding ways to hack into accounts. How are they doing this? By basically taking control of a phone number, they are having the 2FA messages sent to a device on the phone number that they now control, thus getting around the Two-Factor authentication. There have been several cases of Instagram users get hacked and locked out of their account. In this post, we’re going to discuss exactly what a SIM Swap Attack is, how it happens and what you can do about it.

What is a SIM Swap Attack?

The simplified explanation of what happens is: An attacker gains access to your phone number. This is typically done outside of your control, so even following security protocols will not prevent these type of attacks. It’s often done by simply tricking the carrier into thinking they are adding the new device for you, which allows them to activate a new phone using that phone number. From there, any traffic inbound to that phone number (SMS messages, phone calls, etc) are sent to the new device that’s in the attacker’s control.

The SIM swapping process usually goes something like this:

1. Attacker obtains as much personal information as they can about you, in order to engage in social engineering.  This can be from phishing, social media, malware, the dark web or anywhere your information might be leaked.
2. The attacker calls customer service (while impersonating you) and claims that their cell phone or SIM card has been lost or damaged.
3. The attacker tries to convince the customer service rep to activate a new SIM card (one that the attacker currently has access to) by answering security questions based on the personal information from earlier.
4. If the attacker can convince the customer service representative to activate the new SIM card, they now have access to your phone number.  All of your calls and text messages will now be routed to the new SIM card, which is in the attacker’s possession.
5. Any account tied to that phone number is now potential vulnerable to being hacked.

In addition, there have been some reports that link retail store workers being recruited to hack accounts. Attackers have been bribing employees to modify data on the account without the proper account owner permission. Much like a determined burglar, persistent attackers can hijack your accounts if they have the knowledge and will to pull it off.

What can I do to protect myself?

Phone numbers were never meant to be an alternative form of identification, it just somehow became a “standard” for 2FA. With that being said, there are a few things you can do to protect yourself. The easiest thing you can do is assign a PIN number. Every major carrier in the US offers the option to add a PIN number to the account. An even better alternative is to use a stronger form of Two-Factor Authentication, such as Microsoft Authenticator or Google Authenticator. It gives an added layer of security, but the security is tied directly to that device instead of the phone number.

In addition to those steps, you should always follow our golden rule of cybersecurity, which is “Stay Vigilant”. If something seems “off”, such as your cell phone suddenly stops working or a login changes that you don’t remember, address the issue as soon as possible. If you have any questions regarding cybersecurity, feel free to call the experts at SandStorm IT at 901-475-0275.