What is  a Sim Swapping Attack?

 

You just set up multi-factor authentication (MFA) to further protect your online bank account.  Success! No one else can log into your bank accounts without your phone…right?  By performing a Sim Swapping attack, can gain access to your MFA,

 

Sim Swapping Attack

Through exploiting social engineering, attackers perform sim swapping attacks.  An attacker contacts the victim’s wireless phone service provider (AT&T, Verizon, T-Mobile, etc.),  and then proceeds to convince, sometimes bribe, or even trick them into believing the attacker is the authentic user. Now, the attacker can request to assign your phone number to a new sim card or phone.  These attacks essentially transfer or port phone numbers from the victim’s phone to the attacker’s.  When successfully performed, the attacker’s phone now receives phone calls and text messages intended for the victim.

For example, John owns a Samsung Galaxy on the AT&T network.  Bob wants to perform a sim swapping attack on John.  First, Bob must either gather sensitive data about John or use social engineering techniques to persuade AT&T.  Bob calls AT&T, posing as John.  AT&T believes Bob and proceeds to listen to whatever he requests of them.  Bob explains that he purchased a new iPhone and would like to transfer the phone number from his old phone (John’s actual Samsung Galaxy) to his new iPhone.  Of course since they believe it is John, AT&T executes the request.  Now, Bob successfully committed a Sim Swapping attack and now receives all text messages and calls intended for John’s Samsung Galaxy.

 

Multi-factor Authentication

More than just conversations happen over calls and text messages.  One of the most popular forms of multi-factor authentication happens over SMS systems and sometimes calling. 

However, if an attacker receives all calls and text messages, they now have access to any MFA messages sent to that number. With the correct login credentials and access to MFA messages, an attacker can breach accounts you thought to be secure.

 

Staying Protected and Aware

Recently, attackers use sim swapping as an additional technique to gain further access into systems.  Attackers drained bank accounts, stolen very sensitive data, and caused a lot of harm using this type of attack.  

The most obvious way to know if you are a victim of sim swapping is no service, no texts, and no calls to your phone.  If an attacker transferred your number, your phone will no longer be on the wireless service provider’s network.

To stay protected, go to your wireless service provider’s account settings.  Inside your security settings you can manage enhanced security.  Some providers require you to call them in order to establish enhanced login security.

Additionally,

  • Do not rely on cell phone verification for sensitive accounts like banking or medical logins
  • Remove your phone number from accounts that don’t necessarily need one
  • Avoid sharing PII information on social media
  • Turn on two-factor authentication or multi-factor authentication to increase account security
  • Set up a PIN for your cell phone account
  • Regularly update passwords / use different passwords for different sites