Authorities Warn That SIM Swapping Could Help Hackers Take over Personal Devices and Accounts
SIM swapping is not a new scam method, but there is a very good chance that it is often overshadowed in cybersecurity news by other high-profile hacks and data thefts. Also, regular users often have this idea that their accounts and devices are relatively safe because they’re not as important as social media stars or entertainment business celebrities. However, that couldn’t be farther from the truth. Maybe you don’t have traffic-stopping nudes saved in your drafts, but it doesn’t mean that you can’t become a SIM swapping victim, too.
How does SIM swapping work?
What does come to your mind when you hear the term “SIM swapping?” You probably imagine someone stealing your SIM card. Or maybe it makes you wary of changing SIM cards when you’re on vacation abroad. Could a pre-paid SIM card be the source of all evil?
If that’s your main concern, you can breathe a sigh of relief. That’s not how SIM swapping works. The truth is that the crooks that employ this scam do not even need to get anywhere near your phone. SIM swapping is actually an account takeover, and it exploits a weakness in two-factor authentication. Indeed, multi-factor authentication and two-factor authentication have been increasingly promoted as a progressive step towards higher security standards, but even these authentication systems have weaknesses that can be exploited.
Needless to say, there are several steps to this scam, and it also relies on the ability to port a telephone number to a different SIM. In fact, porting phone numbers to new SIM cards is essential if you have lost your phone, but you want to keep on using your old number. When you request the service provider to port your number to a different SIM, you need to verify your identity.
This is where the scammers step in. When they launch a SIM swapping scam, they already have enough of your personal details to convince the service provider that they are you. Now, where do they get that personal information? The truth is that there are many ways to steal personal data. They might get it through phishing emails, trick you into revealing your personal information via social engineering, or maybe simply buy that information from hackers who have already stolen your online footprint.
With all this information at their fingertips, scammers can port your telephone number to their SIM card, thus completing the SIM swapping operation. And once that happens, they successfully cut you off from the mobile network, and they can take over all of your text messages and phone calls. What’s more, if you use one-time passwords for two-factor authentication, the fraudsters can receive all of those passwords to their phone and access your bank and social media accounts.
SIM swapping is far more common than most users realize. This method is used for high-profile Instagram takeovers, cryptocurrency thefts, and other criminal operations that steal thousands of dollars from exposed bank accounts. And sometimes, even knowing how SIM swapping works might not be enough to avoid it. Security experts say that if the hacker is determined and skilled, there might not be much one can do to prevent the scam.
Potential security measures
Nevertheless, there are always certain steps you can take to make hackers' lives harder. Some of them might seem really simple, but the truth is that users often forget the most basic aspects of cybersecurity.
First, you should not share sensitive personal information on social media. You would probably never think of sharing your passport photo in public, so why would you ever share your date of birth? Second, you must avoid interacting with phishing emails and text messages. If an email or a message requires you to confirm your password or update your account information, you should double-check whether the notification is real. If you haven’t requested a password reset, the message you have received is clearly fake.
Using a password manager can also improve your overall cybersecurity level. You wouldn’t have to think of passwords yourself, and it would definitely prevent you from recycling passwords across different accounts. If you’ve never tried using a password manager before, you can get a taste of that by clicking the FREE 30-Day Trial button on the right.
Aside from that, depending on your carrier, you can add a PIN or a passcode to your mobile account. Major service providers in the United States offer such an option. Each service has different methods that can be applied to protect your account. Security experts point out that this additional level of security might not be enough to protect you from insider threats, but it is yet another piece in the puzzle that hackers need to acquire in order to reach your account. Hence, it is a good idea to consider using it.
While SIM swapping exploits two-factor authentication that relies on text messages, there are other ways to employ two-factor authentication, too. For example, you could use an authentication app instead. There are multiple reliable apps out there that can provide that additional barrier for your account’s security. There are even physical authentication methods, where you can use a USB key as an authentication token each time you log in to your account. On the other hand, it is questionable whether users would willingly use third-party tools and applications. Not to mention that not all services might support such security measures.
That one extra mile
Albeit using the same username and the same phone number across different accounts is convenient, it is not exactly safe. Hence, security experts recommend using a different phone number for the more sensitive accounts. If you keep that number secret and do not share it, it will be easier to avoid the SIM swapping scam.
Again, this might not be worth it for most of the users who are more focused on ease of access and efficiency. Hence, we just have to remain careful and vigilant. The rest is up to app developers and service providers, as they scramble to come up with a universal scam-proof authentication method.