Today’s smartphone is more like a personal digital fingerprint than just a phone. It carries your personal and business history, including financial information (think banking, passwords, and credit card information); information about your associates and family members; and stores your location. If you’re like most people, you keep your phone close, it’s in your pocket, fanny pack, or bedside table. So how is it that cybercriminals can lock you out of your phone and literally steal your financial life and personal identity? It’s called SIM swapping.
You’ve probably heard of a SIM card but may not know its purpose. A SIM (subscriber identity module) card is a tiny memory chip that stores information about a cell phone and its owner and can be used as a storage device for messages, contacts, and emails. It's also necessary to connect your phone to the carrier network, allowing you to make phone calls and send text messages.
SIM cards are transferrable, meaning they can be taken out of one phone and put into another, and it should work as long as the mobile carriers are the same.
If your phone is lost, stolen, or damaged, your provider can electronically switch your information from one SIM card to another.
Unfortunately, something that was meant to make your life easier can be used by cybercriminals to steal your personal information.
There are several methods hackers use to carry out a SIM swap:
- Social engineering - If a criminal has enough personal information about their victim, they can sometimes convince a mobile provider that they own the SIM card. They will tell the carrier that it has been stolen, lost, or damaged. The carrier then switches the phone number and all other data to a card the criminal holds.
- Insider - Sometimes, an employee of a phone provider is paid off by criminals to carry out a SIM swap.
- Phishing - Employees of a mobile carrier can be deceived into downloading malware onto their systems at work. If the program they use to perform SIM swaps is compromised, a hacker could carry out the act themselves.
Stranger Danger
Once the information on a SIM card is swapped, calls, texts, and other data goes to the criminal's device instead of yours.
Many online accounts use multifactor authentication to confirm your identity or password recovery by sending an SMS text to a phone number on record. With SIM swapping a criminal can go to an account and reset your passwords, get the SMS to confirm their identity, leaving you helpless.
How to Protect Yourself
You can take several steps to prevent becoming a target of SIM swapping.
- Protect your personal and financial information. Don’t provide personal or financial information on social media or other unsecured websites.
- Set up a PIN with your carrier to confirm your identity before changes are made to your account. If someone contacts you regarding your mobile account and requests your password or PIN, hang up and call the customer service number to ensure you speak to someone legitimate.
- Use authenticator apps, biometrics, or physical tokens instead of SMS multifactor authentication on your accounts. Finally, don't store usernames and passwords for easy login on your mobile devices.
If Your SIM Has Been Swapped
You may be a victim of SIM swapping if you lose service on your phone, both texting and calling, or if you receive a text saying your SIM card for your phone number has been changed.
If you believe you are a target, do the following immediately:
- Call your mobile carrier. Inform them your account may have been hacked and ask about any recent activity.
- Change your passwords of any accounts that were accessible via your phone.
- Check with your bank or credit card companies for unauthorized activity or charges.
- If you believe your Social Security Number and bank accounts are compromised, go to IdentityTheft.gov and file a report.
Resources: