Within the last few years, SIM swapping attacks have increased dramatically as access to cheap phones and SIM cards has grown easier and the use of phone numbers for website authentication has become more widespread. Victims could easily have no idea until it’s too late, making SIM swap attacks dangerous and frightening. Luckily, there are simple mitigation strategies that can help would-be victims significantly cut down on potential threats.
What is a SIM Swap Attack?
A SIM swap attack, also known as SIM-jacking or SIM hijacking, is a social engineering attack against cellular carriers to replace the SIM card associated with the victim’s phone with an attacker’s SIM card. This reroutes all texts and calls to the attacker’s phone and deactivates the victim’s mobile service. Attackers commonly use this strategy to defeat two-factor authentication roadblocks and gain access to bank accounts, email, company-issued devices, and any other account that uses a phone number for password recovery or two-factor authentication.
How Are SIM Swap Attacks Executed?
An attacker will first identify a target and collect personal info that can be used to answer security questions from data dumps, public social media profiles, and sometimes spear phishing attacks. Once the attackers have enough info, they call the cellular carrier posing as the victim and convince them to perform a SIM swap using collected personal info to answer any verification questions. After the attackers have successfully achieved a SIM swap, they can use the phone as a trusted authentication method to reset passwords for the victim’s accounts, and defeat security questions along with other easily collected background information. Email accounts can be a goldmine for attackers – with that access, they can compromise any number of a victim’s accounts. Attackers that manage to compromise both email and phone accounts can therefore compromise almost any account if the victim hasn’t set up alternative Multi-Factor Authentication (MFA).
Mitigating SIM Swapping Attacks
Mitigating SIM swapping attacks is difficult due to the nature of the attack. Since SIM swappers are technically attacking the carrier and not the victim directly, the victim can’t do much to directly prevent a SIM swapping. That said, there are still effective ways to prevent attacks and minimize damage from a potentially successful SIM swap.
Secure Your Cellular Carrier Account
Many cellular carriers provide the option to set an account PIN – in fact, all major US carriers (i.e. AT&T, Sprint, and Verizon) provide this option. Once set up, a carrier will ask for your PIN before making any changes to your account, effectively stopping a potential SIM swap attack in its tracks. Account PINs are currently the only reliable method for directly blocking a SIM swap attack. Enforcement of the PIN system is ultimately up to the carrier’s call center, so the recommendation is to combine this mitigation strategy with others in case the carrier call center drops the ball. Setting up a PIN is usually quick and easy, but the process can differ by carrier. Be sure to contact your carrier to learn how to set up a PIN.
Use Alternate MFA
Phone numbers are often used as the default method for MFA, but that’s not the most secure option. Using an alternative form of MFA that is unable to be easily hijacked (e.g. an authenticator app) is a great alternative. If a SIM swap is successful, limiting the number of accounts that an attacker can access using a phone number is the best way to reduce the scope of the attack and minimize the volume of accounts impacted.
Limit Publicly Shared Personal Information
Limiting the amount of publicly shared personal information can make it significantly more difficult for an attacker to guess security questions and impersonate you on a scam call to a carrier. Set social media accounts (e.g. Facebook, Instagram, etc.) to private, or mark private any posts containing personal info that can be used to answer security questions. Do not publicly advertise services or account names, as these can be used by attackers to target accounts. This can include email addresses, banks or financial services, and other info that can be used to identify accounts. If an attacker doesn’t know what services and accounts to attack, it’s harder to successfully leverage a SIM swap to compromise accounts.
SIM swap attacks can seem scary at first, but with the proper mitigation strategies in place the risk of the attacks can be significantly reduced. If your phone suddenly drops service and you believe that you may have been a victim of a SIM swap attack, call your carrier immediately. If you or your organization is interested in integrating MFA and Zero Trust architecture to prevent attacks like SIM swapping, contact NuHarbor Security today.
by: Hayley Froio
Information Assurance Team Member at NuHarbor Security
Follow us on Social Media for more information: