We’ve all heard of identity theft. But have you heard of SIM theft? This new trend in identity theft relies on the fact that consumers are becoming more and more reliant on our phones to authenticate our identity. It combines phone technology, social engineering, and classic phishing scams to drain your bank account. But banks and cell phone carriers are catching on, and there are some simple ways you can protect yourself.
What Is a SIM Card?
A SIM card is a small chip used in GSM cell phones (which is most phones) to authenticate a user’s subscription to a particular carrier. Without a SIM card, the phone cannot connect to a mobile network. SIM swap fraud occurs when an identity thief convinces a mobile phone carrier to issue them a SIM card for an account that they don’t own.
Social engineering is a decidedly low-tech form of hacking. Instead of using some complex computer program to crack a code or reveal a password, social engineering relies on the fact that real humans are often less secure than a password or PIN. In the case of SIM swapping, this is how it works:
First, an attacker collects as much data as possible about a potential target. That might include full names, birthdates, addresses, and phone numbers. Other data you might use to identify yourself, such as your mother’s maiden name, your first school, or the street you grew up on can be useful, too. There’s no technical wizardry involved in collecting this data. Instead, attackers can glean information from social media, public records, and data dumps sold by criminals who specialize in selling personal information.
Some information can even be gathered directly from the victims using phishing scams. Phishing scams are emails that appear to be from legitimate businesses that try to get you to turn over personal information. Attackers may also use phone scams, in which a caller pretends to represent some legitimate business or offer a legitimate service, but really just wants to get some personal information out of you. (Learn more about phone scams and caller ID spoofing here.)
Once an attacker has collected enough data, the real social engineering begins. The attacker will call a mobile service provider and claim that their SIM card has been lost or damaged. Then, the attacker will attempt to have the mobile carrier activate a SIM card in the attacker’s possession for that account. Normally, a mobile carrier won’t activate a new SIM card or even allow access to an account without verifying the caller’s identity. However, the social engineering attacker comes prepared with plenty of information to spoof their way past the mobile carrier’s phone representative. Social engineering relies on the fact that it is much easier to talk your way past a human than it is to crack a password.
With a SIM card linked to the victim’s account, an attacker can start accessing all sorts of sensitive accounts, especially bank accounts. Many consumers use their phones as a way to verify their identity with their banks. To reset a password, a passcode is sent to the consumer’s phone via SMS messaging. With their activated SIM card, the attacker can read your SMS messages and easily reset passwords to access bank accounts.
Most banks have automated systems to detect unusual activity, like draining an account. To avoid this, attackers will set up parallel accounts. The attacker opens a second account at the victim’s bank using the stolen identity. Often it is easier to open up an account at a bank where the victim already has an account. Then the attacker can transfer money from one account to the other without raising any suspicion of unusual activity. It just looks like the victim is moving money between their accounts.
Protecting Yourself Against SIM Swapping Fraud
By the time you notice the fraud, it is often too late. Most victims only find out they have been compromised when they go to make a call or send a text and find that they have no service. The lack of service occurs because the attacker deactivated the victim’s SIM card and replaced it with their own.
One way to avoid SIM swap fraud, and identity theft in general, is to be discreet with your personally identifying data. Don’t put out identifying media on social media platforms. Also, learn to recognize phishing scams. If you can tell that an email is fake, you won’t be tempted to give out potentially useful information to an identity thief. The same goes for phone scams. Never give out personally identifying information, or even your full name, without first confirming who the caller is and why they are calling. Most legitimate companies will not make unsolicited calls requesting personal information from you.
In addition to protecting your personal information, many carriers have implemented optional additional security options that can help thwart would-be identity thieves.
- AT&T - Log into your AT&T web dashboard or your myAT&T app. From there, you can turn on “extra security” and set a passcode that will be required for any interaction with an AT&T representative on the phone or online.
- Verizon - Log in and edit your online account profile, call a Verizon representative, or visit a Verizon store to set your account PIN.
- Sprint - When you set up your service you will be asked to set a PIN and some security questions.
- T-Mobile - Visit a T-Mobile store or call T-Mobile support to set a “care password” that will be required anytime you attempt to access your T-Mobile account by phone.
You should also avoid using SMS for any communication you want to keep even slightly private. SMS (the standard texting app on most phones) is not secure. You can use an app like WhatsApp, iMessage, and many other encrypted messaging apps to send information more securely.
A little common sense can go a long way. Social engineering relies on humans who are tricked into giving up information and access to accounts. This works because you can convince a human to trust you more easily than you can crack a password. Be diligent and keep your personal information private. Don’t fall prey to social engineering.