A SIM swap attack happens when a criminal uses social engineering to gain control of a victim’s mobile phone number so that SMS and calls made to the victim are received by the criminal.  This then enables the criminal to impersonate the victim and perpetuate further fraud and attacks.

What is a SIM?

Mobile phone numbers are linked to SIM cards, not the mobile phone itself.  This is how you can move your phone number onto your new iPhone easily simply by taking the SIM card out of the old phone and slotting it into the new phone. The SIM (Subscriber Identity Module) is a small integrated circuit card that stores several identification numbers and keys which the phone uses to identify itself to the mobile phone network. Some mobile devices incorporate an eSIM – that is a SIM card that is built into the device that can be remotely reprogrammed in order download the SIM details to activate the phone and associate it with a mobile phone number.

When a customer wants to move their phone number to a new device, they can simply remove the SIM card from the original phone and insert it into the new device. However, if the SIM card has been damaged or lost, or if the new device uses a SIM with a different physical size, then the customer will need to speak to their mobile phone company in order to perform a SIM–swap.  The SIM-swap operation will migrate the customer’s account and mobile phone number from one SIM card onto another.

How SIM-swap attacks work

Many organisations have adopted two-factor authentication (2FA) as a means to increase the security of their identification when granting system access.  The two factors in use being ‘something you know’ – the password, and ‘something you have’.

By far the most popular mechanism is the use of an SMS message as the second factor.  When using this approach, the user will need to enter a one time code delivered over SMS after providing their username and password – the SMS code is the second factor and in common parlance represents ‘something you have’ namely the phone that received the SMS message.  However, possession of the SMS code is not proof of possession of a mobile phone – possession of the SMS is in fact proof that you have control of the mobile phone number which in turn is linked to a SIM card.

So, in a SIM-swap attack, the objective of the threat actor is to obtain control over a SIM in order to receive the SMS codes sent to the victim and in doing so the criminal will be able to thwart the protection provided by the 2FA system.

As described previously, swapping a SIM card is a legitimate customer service operation and so the threat actors engage in social engineering in order to impersonate the victim to the mobile phone company’s customer service staff in order to achieve the SIM-swap.  A SIM-swap attack starts with research and phishing attacks against the victim in order to gather personal information that can be used to successfully impersonate the victim either to customer service staff or provide the information required by self-service apps or portals in order to request the SIM-swap.

The implications of SIM-swap attacks

Once a SIM has been successfully swapped the threat actors may be able to gain access to email, bank accounts and social media of the victim and so perpetuate further fraud.  Gaining control of the SIM may also facilitate changing passwords or using the ‘forgot password’ feature of online accounts which may rely solely on the provision of a 2FA code over SMS as the only proof of identity needed to allow a new password to be set on the account.

How to defend against SIM-Swap attacks

When choosing a 2FA solution to protect their business, Security Managers should consider not using SMS based solutions and instead adopt a smart phone app such as Google or Microsoft Authenticator which generates one-time passcodes on the smart phone and so are not vulnerable to SMS redirection following a SIM-swap.  The NCSC provides useful guidance on when and how to use SMS or alternatives within business processes.

Individuals can protect themselves from SIM-swap attacks by:

• Do not give personal information to anyone who contacts you saying they are from your mobile phone company. If in doubt, hang-up the call, look-up the contact details of your mobile phone company and call-back asking them to confirm why they were calling.
• Never provide one-time passwords over the phone – they are designed to be entered into web pages or apps
• Use an app based authenticator rather than SMS if you have a choice of 2FA
• Avoid openly sharing information on social media that a stranger could use to impersonate you.
• Do not click links received in SMS messages as it is easy to falsify the sender of an SMS

How to spot a SIM-swap attack

Watch out for these indicators which may mean you are being personally targeted for a SIM-swap attack:

Before an attack

The threat actor needs to impersonate you, so they may call you asking you to share codes or SMS messages that you have received from your mobile phone company. They will repeat these codes back to your mobile phone company in order to impersonate you to their customer service staff.

During an attack

Your mobile phone loses its network data connection, and you stop receiving phone calls or SMS messages.  This is because your mobile phone number has now been moved to a different SIM card.

After an attack

You lose access to email, bank, or social media accounts because the attacker has changed your passwords.  You spot unusual transactions on your bank statements or unusual activity on social media as the criminals continue to impersonate you.

If you spot any of these indicators, contact your mobile phone company immediately to verify if a SIM-swap has happened and get it reversed.  Also contact your bank to reset access to your online account.

Resources

ENISA advice: How to avoid SIM Swapping

ENISA report: Countering SIM Swapping

NCSC Guidance on using SMS in Critical Business Processes