With the growth of multi-factor authentication (MFA), smartphones have become a critical part of an organization’s cybersecurity risk management strategy. One of the most common methods for implementing MFA is sending a one-time code to a smartphone via SMS.
SIM swapping attacks pose a serious threat to SMS-based MFA systems and mobile security, especially with the growth of remote work and bring your own device (BYOD) policies. By stealing a user’s phone number, an attacker gains access to a trusted part of a user’s identity.
A subscriber identity module (SIM) card is the physical card that associates a cell phone number with a particular device. Phone numbers are linked to a particular SIM card, making it possible for users to change or upgrade phones simply by moving the card from one device to another.
In a SIM swapping attack, an attacker transfers a mobile phone account and phone number to a new SIM card. Since this new SIM card is under the attacker’s control, they can insert it into a device and send or receive SMS messages and phone calls directed to the victim.
A SIM swapping attack can have significant impacts on the security of the victim and their friends, families, and coworkers. Some of the potential impacts of a SIM swapping attack include:
A user’s mobile account is linked to a particular SIM card, so possession of that SIM card equates to control over that account. However, the potential for lost or stolen devices (and SIM cards) and phone upgrades means that mobile providers will allow an account to be transferred to another SIM card.
Before transferring a mobile account to a new SIM card, the mobile phone provider should perform some identity verification. This may include asking to see a driver’s license or requesting an account PIN number or the last four digits of the owner’s Social Security Number (SSN) or other personal information.
However, sometimes this verification is not performed by a trained specialist. A story about forgetting the account PIN number and asking for an alternative form of verification is likely to succeed. Since the last four digits of a person’s SSN, their past addresses, and other identifying information have likely been leaked in a data breach, the attacker can presumably answer the question and successfully authenticate as the user.
After identity verification, the mobile provider will swap the victim’s account over to a new SIM card. Once the attacker has inserted this card into their mobile phone, they now own the victim’s phone number.
After a SIM swapping attack, the victim’s phone number is transferred to the attacker. This means that they will no longer receive calls or texts to that number.
If this lack of calls and texts is not enough to make the attack evident, then a SIM swapping attack may be detected based on emails about changed accounts. An attacker will likely take advantage of the swapped SIM to bypass MFA and reset passwords on online accounts, and these accounts will likely send notifications via email.
Mobile providers may have protections in place against SIM swapping attacks. The best way to protect against these attacks is to call your provider and ask what solutions are available or in place already. Often, you can set a PIN that will be required to modify your account.
Beyond protecting against the SIM swapping attack itself, it is also possible to mitigate the effects of these attacks. Some ways to do so include:
SIM swapping is one of many threats to personal and professional mobile device security. To learn more about the current state of the mobile threat landscape, check out Check Point’s Mobile Security Report.
Mobile security solutions can help mitigate risk to an organization’s mobile devices. Find out what to look for in a solution in this buyer’s guide to mobile security. Then, sign up for a free trial of Check Point Harmony Mobile to learn how it can protect your organization’s mobile devices.