Figure 1 – photo from pixabay.com
SIM-swap fraud is an increasingly widespread means for hackers to steal access to your phone number and then your identity. We will explain how SIM-swapping works and how you can keep yourself safe.
A “SIM-swap” means that a hacker has stolen access to your phone number and rerouted calls and texts to themself instead of you. This enables them to then steal your identity. But the first step is the SIM-swap.
How Does This Work?
Your smart phone has a SIM (Subscriber Information Module) card in it, which is basically a piece of plastic with a chip in it that holds the phone number and some account data. Normally, you take a SIM card out of one phone, put it in a second phone, and then all calls to the phone number will go to the second phone instead of the first.
But if your phone is stolen or lost, you can buy a new phone with a new SIM card and ask your phone service provider to use their system to switch your phone number from the old SIM card to new one. This reroutes all traffic to the new phone and SIM card.
Hackers take advantage of this system by pretending to be you and asking your phone service provider to switch your phone number from your SIM card to theirs.
The main factor in a SIM-swap is for the hacker to convince the victim’s service provider that they are the true account owner. In order to make sure that the customer representative is speaking with the supposedly true owner of the phone number, they will ask some questions that require personal knowledge of the owner.
How does this happen?
The standard security measures for email services are to offer two factor authentication (also known as 2FA) to make sure no one logs into your email. Typing your password is the first factor, and the second factor is usually that the email service sends your phone a text message with a passcode in it. Then you type in the passcode and the email service lets you change the password to your account. Email services will typically ask for your phone number when you sign up for the sake of 2FA. There are other, better forms of 2FA, but the text message method is often the default setting. We’ll discuss better methods later.
When the hacker has your phone number THEY will receive the text message with the passcode, not you.
Therefore, because the hacker does not know your password, they can click on the “Forgot My Password” option and, as we just noted, usually the default security measure is for the email provider to send a text message to your phone with a unique code number that is needed to log in. Because the hacker SIM-swapped your phone, the security text will go to the hacker’s phone instead of yours. After logging in, the hacker can reset your password, so you are locked out of your account.
Unfortunately, this is only the beginning. The “Forgot My Password” option on the rest of your accounts (think of your credit cards, social media, bank, etc.) is usually set by default to send a link or code to your email or phone. After taking over your email, the hacker can gain access to your other accounts and lock you out.
If you are a manager or a business-owner, the threat is not just against you personally. If your employees are targeted, a hacker could use an employee’s account to potentially gain access to your business network.
How They Do It
Consider a hypothetical hacker that only knows your phone number. Even if you never post any information about yourself on social media, a hacker is still able to find enough relevant information about you to pull off a successful SIM-swap while relying only on using publicly available sources.
To start with, the hacker needs to know which service provider to call. They can use websites like Free Carrier Lookup, that will identify any phone number’s service provider for free.
The next step is to find out enough information about you to pass the security questions.
A January 2020 study from Princeton University proved it is generally easy for someone, such as a hacker, to call an phone carrier service and pretend to be the owner of someone else’s phone number. The standard practice is for phone service representative will ask the caller, the hacker, a few questions about the phone’s true owner. The hacker just needs to do some research on the phone number, by using the methods described below, and then they will be able to correctly answer enough of those questions to “prove” that they are the true owner.
How They Find Your Personal Information
There are several free websites (truepeoplesearch.com, fastpeoplesearch.com, thatsthem.com, freepeoplesearch.com) that reveal personal information about any phone number’s user.
To showcase how this works, I chose a random phone number to research as an example. Below you see the initial results revealing the user’s name, month and year of birth, and address.
If we scroll down, we see the user’s email address, as well as former addresses and approximate dates when they lived there. If we click on any of these data points (names, phones, addresses, email) the site will show all other data points associated with it, which enables a hacker to delve further and further into the victim’s background.
The site lists “possible relatives,” which are likely identified based on whether these people were registered to the same phone or address during the user’s childhood years.
Finally, in the screenshot below you see how one site explains why it believes it has identified the phone owner’s spouse.
How to Stay Secure?
The best measure you can take to stay safe is to obtain quality security education for you and your colleagues to be aware of the tactics that are out there. You should consider making your business networks more secure by reaching out to Cyber Security Crusaders for assessment services with actionable steps. Just go to cybersecuritycrusaders.io to contact us or learn more.
The following steps are affective against these threats. If you own a company, you can start by educating your work force on the risks and the set up the following safety measures for your employees.
1 – Most phone service providers will let you set up a password to use in case your phone is lost or stolen. If you choose to use this method, consider getting a password manager (such as Bitwarden, NordPass, or Dashlane).
2 – Start using an authenticator as your 2FA instead of text messages. If you have an authenticator app, it will stay on your physical phone even if your phone number transferred to another phone. If your physical phone is stolen, you can reset the authenticator on a new phone by using a pre-set password (which is one more reason to get a password manager).
3 – Sign up for a free account on a data breach website like HaveIBeenPwned.com that will notify you as soon as your phone number or other information appears in a data breach so that you know to change your password.
These safety measures are straight-forward and convenient. This article might be frightening, but you can stay safe with good security education and some simple measures.