What Is SIM Swapping?

With the growth of multi-factor authentication (MFA), smartphones have become a critical part of an organization’s cybersecurity risk management strategy. One of the most common methods for implementing MFA is sending a one-time code to a smartphone via SMS.

SIM swapping attacks pose a serious threat to SMS-based MFA systems and mobile security, especially with the growth of remote work and bring your own device (BYOD) policies. By stealing a user’s phone number, an attacker gains access to a trusted part of a user’s identity.

Download The Mobile Security Report Schedule A Demo

What Is SIM Swapping?

What is SIM Swapping?

A subscriber identity module (SIM) card is the physical card that associates a cell phone number with a particular device. Phone numbers are linked to a particular SIM card, making it possible for users to change or upgrade phones simply by moving the card from one device to another.

In a SIM swapping attack, an attacker transfers a mobile phone account and phone number to a new SIM card. Since this new SIM card is under the attacker’s control, they can insert it into a device and send or receive SMS messages and phone calls directed to the victim.

A SIM swapping attack can have significant impacts on the security of the victim and their friends, families, and coworkers. Some of the potential impacts of a SIM swapping attack include:

  • MFA Bypass: For accounts using SMS messages for MFA, SIM swapping provides the attacker with control over the second factor used for account access. If the attacker can guess the password associated with the account or have a reset link texted to them, they can take over the user’s account.
  • Impersonation: Some organizations, such as financial institutions, use a trusted phone number to verify a user’s identity. For example, a new credit card may only be activated from a certain phone. A SIM swapping attack could allow the attacker to impersonate the victim, creating opportunities for fraud and theft.
  • Smishing and Vishing: After a SIM swapping attack, the attacker can make calls or send texts from the victim’s number. This can be used in smishing and vishing attacks to trick coworkers into leaking sensitive information or opening malicious files.

How Does SIM Swapping Work?

A user’s mobile account is linked to a particular SIM card, so possession of that SIM card equates to control over that account. However, the potential for lost or stolen devices (and SIM cards) and phone upgrades means that mobile providers will allow an account to be transferred to another SIM card.

Before transferring a mobile account to a new SIM card, the mobile phone provider should perform some identity verification. This may include asking to see a driver’s license or requesting an account PIN number or the last four digits of the owner’s Social Security Number (SSN) or other personal information.

However, sometimes this verification is not performed by a trained specialist. A story about forgetting the account PIN number and asking for an alternative form of verification is likely to succeed. Since the last four digits of a person’s SSN, their past addresses, and other identifying information have likely been leaked in a data breach, the attacker can presumably answer the question and successfully authenticate as the user.

After identity verification, the mobile provider will swap the victim’s account over to a new SIM card. Once the attacker has inserted this card into their mobile phone, they now own the victim’s phone number.

How Can You Tell If You’ve Been Swapped?

After a SIM swapping attack, the victim’s phone number is transferred to the attacker. This means that they will no longer receive calls or texts to that number.

If this lack of calls and texts is not enough to make the attack evident, then a SIM swapping attack may be detected based on emails about changed accounts. An attacker will likely take advantage of the swapped SIM to bypass MFA and reset passwords on online accounts, and these accounts will likely send notifications via email.

How to Prevent SIM Swapping

Mobile providers may have protections in place against SIM swapping attacks. The best way to protect against these attacks is to call your provider and ask what solutions are available or in place already. Often, you can set a PIN that will be required to modify your account.

Beyond protecting against the SIM swapping attack itself, it is also possible to mitigate the effects of these attacks. Some ways to do so include:

  • Alternate MFA: SMS-based MFA has many security issues that are not limited to its vulnerability to SIM swapping attacks. When possible, choose an MFA option that does not rely on SMS messages.
  • Stronger Passwords: SIM swapping only helps an attacker to intercept the one-time code sent via SMS. Using a random, unique password makes it harder for an attacker to breach an account even if they have the one-time code.
  • Secure Social Media: The answers to the questions asked during a SIM swapping attack may be publicly visible on social media. Lock down social media sharing settings and limit the public information exposed online.

Protect the Mobile Device With Harmony Mobile

SIM swapping is one of many threats to personal and professional mobile device security. To learn more about the current state of the mobile threat landscape, check out Check Point’s Mobile Security Report.

Mobile security solutions can help mitigate risk to an organization’s mobile devices. Find out what to look for in a solution in this buyer’s guide to mobile security. Then, sign up for a free trial of Check Point Harmony Mobile to learn how it can protect your organization’s mobile devices.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.