Every mobile phone sports a subscriber identity module (SIM) card that contains all sorts of unique information about the phone, the user, and their carrier. The critical element, however, is the subscriber phone number. If you've traveled from the US to Europe or Asia, you may have even done your own swapping out of SIM cards to be able to make calls on GSM cellular networks used just about everywhere outside North America.
That's not the kind of SIM swapping we're talking about.
What Is a SIM Swapping Attack?
By getting a mobile phone carrier to transfer a user's phone number to a fraudster's SIM card, the bad guys can access a variety of riches linked to a victim's mobile phone.
They can compromise multifactor authentication (MFA) methods that use SMS as a second factor by tapping into those SMS authorizations. From there, they can take over victims' accounts, from social media accounts to financial institutions to luxury retailers. (As a result, SMS is getting scrutinized as an element in MFA.)
While the point of SIM swapping often is to shame or humiliate, it has also been used to steal bitcoin.
How SIM Swapping Works
There are two ways to perform a SIM swap, explains Zack Allen, director of threat operations for security vendor ZeroFox.
The first method relies on social engineering of a mobile phone carrier's service rep. The second method works with a rogue employee at a mobile carrier. "There's been some SIM swapping by 'turning' an employee who performs the swap on the fraudster's behalf," Allen says.
Once disconnected from their original carrier, SIM-swap victims will no longer receive carrier-facilitated calls or text messages, notes Tanner Johnson, an analyst covering security for IHS Markit. Instead, all of those communications will be routed to the attacker. Wi-Fi will still function since that's independent of the carrier, but telephony and carrier-provided Internet capabilities will be immediately impacted, he adds.
What's the Impact?
The two most common outcomes of SIM swapping are theft of money (usually cryptocurrency) and control, which can also be monetized, according to Allen.
Most famously, a SIM swapping attack snared Twitter founder Jack Dorsey in August. The attackers remotely seized control of Dorsey's device, subsequently his Twitter profile, and posted embarrassing tweets like a repost of "Nazi germany did nothing wrong."
Further, "We've seen a lot of cryptocurrency figures attacked because of their influence," Allen adds; losses have been reported in the six-figure range and higher. "The scariest thing about SIM swapping is the information you can get once you control someone's accounts. With bitcoin, there's no fraud department to investigate or refund you your money."
He also points to the scourge of "account takeover communities" that rely on SIM swapping to make money from social media accounts. Groups like Chuckling Squad that took over Dorsey's account target important or influential users, take over their phones, and then resell the access.
So Should We Stop Using MFA?
The advent of SIM swapping has some experts questioning use of MFA and its partial reliance on unique codes delivered via SMS. Authentication, to review, relies on what you know, what you are, and/or what you have. SIM swappers found a weakness within the "what you have" part, according to ZeroFox's Allen.
"What stinks about this is people preferred MFA for authentication," he adds. "I still think MFA is great, but it's preferable to go through an authentication app or use something that's hardware-based." However those authentication methods may not be as fast or as familiar as receiving an SMS with a unique code, which bumps up against an age-old tension in security of usability versus effectiveness.
"Do not stop using MFA!" Markit's Johnson exclaims. "I cannot emphasize this enough."
How Do We Combat SIM Swapping?
Johnson cautions users away from SMS as a method of MFA, and instead to password-generating apps like Google Authenticator, Microsoft Authenticator, and Authy.
"As these are generated locally and not transmitted via text or email, they are far more robust MFA options," Johnson says. "Additionally, these apps require physical access to the phone, which I hope has a password in place to unlock it to begin with."
Johnson also likes using Google Voice as an antidote to SIM swapping since it creates a phone number tied to your Google account, not your carrier.
"Using this number as your contact for critical services will prevent any MFA text messages from being sent to a SIM-swapped device if the text/call forwarding option is inactive on the account, which is easily adjusted," he explains. Instead, if forwarding is turned off, the messages will only go to a device with the Google Voice app installed, or the corresponding email address. But the settings must be properly configured, he warns.
Customers can also take the extra step of contacting their mobile carriers and requesting additional security features, like verbal passwords, to prevent any changes being made on their account. "I have gone one step further and asked that in addition to this, no SIM-related changes can be made unless they are requested in person at a physical store location, as this will require additional ID," Johnson adds.
Mobile carriers are more aware of the threat posed by SIM swapping and are offering additional security features like verbal passwords to combat it. But mobile carriers need to significantly change their internal processes, according to Johnson. Effectively combatting SIM swapping "will require a concerted training effort to prevent their own customer service reps from falling for social engineering attempts on accounts without additional security hurdles in place," Johnson says.
- Why Multifactor Authentication Is Now a Hacker Target
- 6 Small-Business Password Managers
- Escaping Email: Unlocking Message Security for SMS, WhatsApp
- The Myths of Multifactor Authentication