Among the cyber attacks that are carried out against modern mobile phones, the most dangerous of all is without a doubt the SIM Swap, a targeted and well-engineered attack by cybercriminals or digital thieves that allows you to trade taking over a phone number associated with a specific person and stealing the identity associated with the SIM, nullifying all two-factor security systems active at that moment (considering that many sites now ask the user to activate this security system).In this guide, we see together how the SIM Swap works, what makes it so dangerous for our mobile phones, how can we realize that we are the victim of a SIM Swap attack and what can we do to avoid suffering this attack, capable of really getting into trouble all holders of current accounts, accounts for e-commerce or in general all account holders with active two-factor authentication.As can be guessed, this type of attack is very complex to carry out, but once we are hit it becomes very difficult to get back to one’s phone number, compromising all the services in which we had used it. It is, therefore, worthwhile to pay close attention to what we have described in the following chapters, so as to be fully aware of the danger and avoid the SIM Swap.
READ ALSO -> Lost smartphone: how to lock your phone and account
What is SIM Swap
SIM swapping indicates the cyber attack carried out by the attacker who illegally obtains a SIM Card with our phone number.
The possibility of changing SIM while keeping the same number is born for legitimate purposes: when we suffer a malfunction, break the original SIM card or lose the SIM card (in many cases along with the phone), we can go to any operator’s shop or apply online for a replacement SIM. The operator will provide the new SIM and carry out the portability of the telephone number, deactivating the old card (wherever it is).
This technique can also be used by an attacker: the criminal in question gets a SIM with the victim’s number through a shop or online, posing as us. In most cases the exchange is successful and we find ourselves with our legitimate SIM disconnected from the network since it is now considered disabled by our operator.
Getting hold of the victim’s number is the culmination of a much larger and more dangerous attack: before doing the SIM Swap the attacker has already obtained the access credentials to one of our services where money runs (bank account credentials, Amazon account, or PayPal account), using phishing messages, fake calls or spam emails; once these credentials have been obtained, they can carry out the SIM Swap for bypass the two-factor authentication system, obtaining the security code that normally arrives on the telephone number associated with the service … pity that in the meantime this number has been literally stolen! To complete this exchange, the complicity of an operator shop is required (which starts portability without even checking documents or trusts false documents) or through vulnerabilities of the online SIM change system, where it is enough to provide the documents (also these stolen) to start the automatic portability procedure to the new SIM.
Often the attack is conducted so quickly that it does not give the legitimate user time to block two-factor authentication on financial services; after a few minutes from the SIM Swap the current account is drained or transactions will be initiated on PayPal or Amazon (with discount coupons bought with our money and redeemed by unknown users).
What can we do to avoid SIM Swap?
AGCOM has forced all mobile operators to provide much more effective tools to stop SIM swaps, but the risk is real for all users who use the telephone number to access banking services. To limit the risk of SIM Swap, we recommend that you follow the following tips:
- We avoid entering the telephone number on public profiles: the phone number is personal and should not be exposed on Facebook or other social networks, since the attacker could immediately retrieve the phone number by preparing the trap necessary to recover the login credentials of a current account.
- We use authentication apps instead of SMS: instead of SMS, we advise you to use the authentication app for 2FA, such as Google Authenticator. These apps provide a synchronized actual time-based security code, offering a very secure method of logging in with two-factor authentication.
- We use an email verification system: instead of receiving the code via SMS, we can receive the same code on a secure email such as Gmail or Outlook, using pre-printed codes as security systems for these services (so that access can always be recovered in an emergency).
- We deactivate the sending of codes via SMS to the bank: if the bank allows it, we configure the secure two-factor access via the bank app, which can use the phone’s fingerprint or a secret PIN to authorize all logins and transactions, effectively making SMS sending obsolete.
Alongside these tips we advise you to be very careful with fake emails or phishing emails: remember that the attacker does not do anything with our phone number if he does not already have the credentials of the current account in his hand! To prevent phishing and spam emails, we recommend that you read our guides How to avoid SMS scam and spam e Recognize fake, scam, non-genuine emails.
Conclusions
SIM Swap can be very dangerous if implemented after a phishing attack or after a data leak involving our account: it takes very little to find yourself with the legitimate SIM not working and, after a few minutes from the fact, the current account dried up from all the money we had painstakingly saved up. The operators are strengthening the procedures to be able to change the SIM in case of theft or loss, but is well organized, the bad guys can still do the SIM Swapping, so better to disable authentication via SMS codes where possible and enable two-factor authentication via the Authenticator app or via email codes.
To learn more about the security aspect of two-factor authentication, we recommend that you read our guides Sites/apps where you can activate two-step password verification and Best apps to generate OTP, for secure access to sites.