+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is a SIM swap attack?

A SIM swap attack happens when a criminal uses social engineering to gain control of a victim’s mobile phone number so that SMS and calls made to the victim are received by the criminal.  This then enables the criminal to impersonate the victim and perpetuate further fraud and attacks.

What is a SIM?

Mobile phone numbers are linked to SIM cards, not the mobile phone itself.  This is how you can move your phone number onto your new iPhone easily simply by taking the SIM card out of the old phone and slotting it into the new phone. The SIM (Subscriber Identity Module) is a small integrated circuit card that stores several identification numbers and keys which the phone uses to identify itself to the mobile phone network. Some mobile devices incorporate an eSIM – that is a SIM card that is built into the device that can be remotely reprogrammed in order download the SIM details to activate the phone and associate it with a mobile phone number.

When a customer wants to move their phone number to a new device, they can simply remove the SIM card from the original phone and insert it into the new device. However, if the SIM card has been damaged or lost, or if the new device uses a SIM with a different physical size, then the customer will need to speak to their mobile phone company in order to perform a SIM–swap.  The SIM-swap operation will migrate the customer’s account and mobile phone number from one SIM card onto another.

How SIM-swap attacks work

Many organisations have adopted two-factor authentication (2FA) as a means to increase the security of their identification when granting system access.  The two factors in use being ‘something you know’ – the password, and ‘something you have’.

By far the most popular mechanism is the use of an SMS message as the second factor.  When using this approach, the user will need to enter a one time code delivered over SMS after providing their username and password – the SMS code is the second factor and in common parlance represents ‘something you have’ namely the phone that received the SMS message.  However, possession of the SMS code is not proof of possession of a mobile phone – possession of the SMS is in fact proof that you have control of the mobile phone number which in turn is linked to a SIM card.

So, in a SIM-swap attack, the objective of the threat actor is to obtain control over a SIM in order to receive the SMS codes sent to the victim and in doing so the criminal will be able to thwart the protection provided by the 2FA system.

As described previously, swapping a SIM card is a legitimate customer service operation and so the threat actors engage in social engineering in order to impersonate the victim to the mobile phone company’s customer service staff in order to achieve the SIM-swap.  A SIM-swap attack starts with research and phishing attacks against the victim in order to gather personal information that can be used to successfully impersonate the victim either to customer service staff or provide the information required by self-service apps or portals in order to request the SIM-swap.

The implications of SIM-swap attacks

Once a SIM has been successfully swapped the threat actors may be able to gain access to email, bank accounts and social media of the victim and so perpetuate further fraud.  Gaining control of the SIM may also facilitate changing passwords or using the ‘forgot password’ feature of online accounts which may rely solely on the provision of a 2FA code over SMS as the only proof of identity needed to allow a new password to be set on the account.

How to defend against SIM-Swap attacks

When choosing a 2FA solution to protect their business, Security Managers should consider not using SMS based solutions and instead adopt a smart phone app such as Google or Microsoft Authenticator which generates one-time passcodes on the smart phone and so are not vulnerable to SMS redirection following a SIM-swap.  The NCSC provides useful guidance on when and how to use SMS or alternatives within business processes.

Individuals can protect themselves from SIM-swap attacks by:

  • Do not give personal information to anyone who contacts you saying they are from your mobile phone company. If in doubt, hang-up the call, look-up the contact details of your mobile phone company and call-back asking them to confirm why they were calling.
  • Never provide one-time passwords over the phone – they are designed to be entered into web pages or apps
  • Use an app based authenticator rather than SMS if you have a choice of 2FA
  • Avoid openly sharing information on social media that a stranger could use to impersonate you.
  • Do not click links received in SMS messages as it is easy to falsify the sender of an SMS

 

How to spot a SIM-swap attack

Watch out for these indicators which may mean you are being personally targeted for a SIM-swap attack:

Before an attack

The threat actor needs to impersonate you, so they may call you asking you to share codes or SMS messages that you have received from your mobile phone company. They will repeat these codes back to your mobile phone company in order to impersonate you to their customer service staff.

During an attack

Your mobile phone loses its network data connection, and you stop receiving phone calls or SMS messages.  This is because your mobile phone number has now been moved to a different SIM card.

After an attack

You lose access to email, bank, or social media accounts because the attacker has changed your passwords.  You spot unusual transactions on your bank statements or unusual activity on social media as the criminals continue to impersonate you.

If you spot any of these indicators, contact your mobile phone company immediately to verify if a SIM-swap has happened and get it reversed.  Also contact your bank to reset access to your online account.

 

Resources

ENISA advice: How to avoid SIM Swapping

ENISA report: Countering SIM Swapping

NCSC Guidance on using SMS in Critical Business Processes

 

 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.