SIM swapping, also known as SIM jacking, is a technique used by attackers to gain access to a person’s phone number and, ultimately, their two-factor authentication (2FA) codes.
A fraudster will impersonate a target while calling their mobile service provider and ask for the target’s phone number to be ported to a new SIM card. The attacker will then check whether they can use the phone number to intercept any SMS-based 2FA codes.
How does SIM swapping work?
Criminals will call their target’s mobile service provider and recount a fake but believable story for their SIM swap request. For example, they might say: “I lost my phone at a music festival and need help transferring my number to a new SIM card.”
The mobile service provider will likely ask some security questions to verify the caller’s identity. However, criminals are smart and will prepare for these questions by researching their target beforehand. They’ll root through prior data breaches and anything that’s been shared publicly about the target online. This gives them the information required to impersonate their target and falsely verify themselves as the account owner.
Social engineering doesn’t always work – sometimes the mobile service provider will see through the lies. But it’s effective enough that criminals have adopted it in droves.
What’s at risk from SIM swapping?
The main objective of a SIM swap attack is to intercept any two-factor authentication (2FA) codes that the target receives via SMS.
The scammer will also test whether they can use the target’s phone number to reset any account passwords. For example, some email services will offer to text you a verification code if you can’t remember your password and don’t have access to any other kind of verification, like a secondary email inbox.
Finally, a SIM swap can give the criminal access to incoming calls and texts, and potentially other kinds of sensitive information, like the target’s stored contacts.
How do you know if you’ve been a victim of SIM swapping?
If you notice any of these warning signs, you might have been targeted by a SIM swap attack:
- You’re locked out of the account that you use to manage your phone plan, and discover the password has been changed.
- Your phone unexpectedly loses service, or you suddenly find that you can’t receive calls or text messages, even with good reception.
- You’re alerted to suspicious login activity on one of your online accounts.
If any of these happen to you, contact your mobile service provider as soon as possible and ask them to shut off access to the SIM card that’s currently using your number.
How to prevent SIM swapping: two-factor authentication
As we’ve already established, two-factor authentication (2FA) is a great way to strengthen the security of your online accounts. But it’s only worthwhile if the way you retrieve your 2FA codes isn’t compromised.
If you want to protect yourself against SIM swap attacks, use a standalone authentication app, or a password manager like 1Password, which can be used as an authenticator for sites that support 2FA. After you’ve set it up, 1Password will autofill your one-time codes whenever you need them, just like your passwords and other digital secrets. Watchtower will also let you know when 2FA is available, so you can turn it on and increase the protection around your accounts.
These kinds of authenticators are safer than SMS because your codes are tied to a specific device – or in the case of 1Password, a series of trusted devices – rather than your phone number. That means a criminal would need physical access to one of these devices to intercept your codes and access your online accounts.
Other tips to prevent SIM swapping
Unfortunately, there’s no way to guarantee that your mobile service provider won’t fall victim to social engineering. But you can make it harder for criminals to gain control of your SIM. Here are some extra steps you can take to prevent SIM swapping, and minimize the damage of a successful SIM swap:
Use strong and unique passwords for all of your online accounts. A strong password isn’t predictable, like “12345”. It should be long and complex enough that it can’t be easily cracked with a brute-force attack. If an attacker can easily crack your simple password, they are halfway to breaking into your account. All they need is the 2FA code, and they’re in.
Set up additional security measures with your mobile service provider. Ask your carrier if they can set up a ‘port freeze’ for your phone number. Some service providers will also let you add an extra PIN, password, or passcode – or another form of authentication – that’s required in order to transfer your phone number to a new SIM card.
Limit what personal information you share online. Hackers need some of your personal information to win over the person working for your mobile service provider. You can make the hacker’s life more difficult by restricting what you share publicly, and not revealing personal details like your address, date of birth, and phone number on social media.
Use random answers for security questions. Criminals will often research their target to see if they’ve posted anything that inadvertently reveals the answers to their security questions. Choose random answers for your own security questions, and store them in a safe place like 1Password. Criminals then won’t be able to answer your mobile service provider’s security questions with information they’ve gleaned online.
Protect yourself with strong password security practices
It can be overwhelming to hear and read about the rise of SIM swap attacks. And it’s natural to feel powerless to stop them. After all, it’s your mobile service provider – not you – that would be talking to the hacker and ultimately deciding whether to port your number to a different SIM card.
But that doesn’t mean you can’t take steps to combat SIM swap attacks. If you use strong passwords and choose a secure way to receive your 2FA codes, you can protect everything that’s important in your digital life.