SIM swapping: what it is and how this fraud works

SIM swapping is a type of fraud that allows criminals to steal your identity by hijacking the phone number number by obtaining a duplicate of your SIM card.

Unfortuantely, not everyone is aware that there is something on our mobile phone that can be of great interest to criminals and that can turn data theft and identity theft into money theft from our bank account or cryptocurrency wallet.

The phases of SIM swapping

This technique is not a consequence of a security breach in our devices, but rather in the lack of implementation of strict verification protocols when requesting a copy of our SIM card. In addition, this technique is used in conjunction with other social engineering techniques in order to obtain benefits, since what criminals seek in this case is to access the verification codes that companies, platforms and banking entities usually send us to our mobile devices.

In a first phase, criminals try to obtain the user’s credentials; normally those related to online banking to maximize economic benefit, although, as we will see later, this is not the only objective. Theft of credentials is usually carried out using traditional social engineering techniques, such as, for example, using fraudulent websites to which the user is redirected from a link sent an email or through a false mobile application that impersonates the identity of the entity bank.

Once the credentials are obtained, the criminals try to obtain a clone of the victim’s SIM in order to receive the verification codes by SMS (double authentication factor). For this, cybercriminals take advantage of the poor identity verification measures that some operators often request. After collecting the personal information of their victims, for example, through social networks, they make a call or physically appear in a store of the telephone company responsible for the SIM that they want to clone to request a duplicate of the card. Many times it happens that users realize that there is a problem when they stop having a signal on their phone.

ALSO: Read how Jack Dorsey lost his Twitter account with a SIM swapping attack and how to prevent it here.

It is not uncommon to see that criminals do not have too many barriers when it comes to obtaining this duplicate of the SIM and this is a serious problem. Once this duplicate has been obtained, criminals can enter the victim’s bank account, make transfers or even request credits on their behalf. When confirming the operation, they will have no problem, since they receive the messages with the double authentication factor (2FA) on the cloned SIM.

Other types of SIM swapping attacks

Criminals are not just looking to access their victims’ bank accounts. Other valuable assets include cryptocurrency wallets or online service accounts such as; for example, those of Google.

In the latter case, if the cybercriminals have obtained the victim’s credentials, they can bypass the 2FA by requesting a one-time code sent by SMS. Once they have accessed the account, they can have control of our email account, contacts, etc.

The same can be said of access to other services, such as Facebook, Instagram, Tik Tok or similar; something that can ruin the victim’s online reputation and that criminals take advantage of to blackmail her. They could, for example, get engaging photos and conversations and threaten to make them public unless an amount is accepted.

Nor should we forget about other applications that we usually use to make transfers and that also allow us to store money. A clear example would be PayPal, which also incorporates a 2FA in the form of an SMS message and that, in case the criminals obtained the access credentials and a cloning of the SIM, they could not only withdraw the saved funds, but also impersonate us to request money from our contacts.

Facing SIM swapping

Fighting this threat would require a complete rethink of the identity verification procedure that is still carried out by many banks and online services. Unfortunately, it is not always possible to use the 2FA method that we want to use and this forces us to take more drastic measures. One of these measures would be to contact our operator and make sure that no cloning of our card will be carried out unless we request it in person at a store or office with a document that identifies us.

In any case, for this measure to work, the operator must be able to strictly comply with our requirements, which is quite difficult in some cases. As if that were not enough, cases have been known in which criminals had the collaboration of employees of the mobile operator, making it more difficult to block this bad practice.