Stop the swap: How to secure devices against SIM swapping fraud
SIM swap attacks are soaring. According to data from the FBI, 2021 saw more than 1,600 SIM swapping reports totaling $68 million in losses.
But what is a SIM swap attack? How does it happen, where are users vulnerable, and what steps can they take to stop the swap?
Bait and switch: What is SIM swapping?
Smartphones contain subscriber identity modules (SIMs). These small chips act as portable memory storage units that link physical devices to user accounts. They can be removed and replaced — for example, users might move their SIM card from an older device to a new phone, in turn streamlining the setup process.
For cybercriminals, this physical operation offers the opportunity for an unauthorized SIM swap.
Here’s how it works. First, attackers conduct social engineering efforts to discover details about users, then contact mobile providers and impersonate actual account holders using this data. Next, they claim that their current device has been lost or damaged, or that they’re upgrading to a new one, and ask mobile carriers to link user account details to a new phone with a new SIM card.
Armed with full access to mobile accounts, attackers can extend social engineering efforts to their victim’s list of text and email contacts. They may also be able to directly compromise banking and e-commerce accounts if users have linked these accounts to their mobile numbers.
The state of SIM swapping
Both the volume and value of SIM swapping are on the rise. Consider SIM scammer Nicholas Truglia, who was recently sentenced to 18 months in prison for stealing more than $20 million in cryptocurrency via SIM swap attacks. This is quickly becoming a common threat vector: If attackers can convince mobile providers to swap account data to new SIMs — and these accounts are tied to cryptocurrency platforms — they can quicky move massive amounts of virtual money. Even more worrisome? Crypto transactions are one-way, one-time only, meaning they can’t be undone to “refund” users, even if SIM swaps are detected.
So why the uptick? One of the biggest benefits for attackers is the ability to bypass message-based multifactor authentication (MFA). While passwords are no problem for criminals to crack, the advent of MFA helped frustrate their efforts. In the case of SIM swapping, however, malicious actors circumvent authentication by impersonating authorized users and taking full control of their mobile accounts and devices.
Stop the swap: Three ways to stay safe
So, what does this mean for mobile users? How can they reduce their risk of SIM swapping if they aren’t even aware of potential compromise until it’s too late?
Three tactics can help tame the risk of SIM swaps.
Limited information sharing
The less data available online, the harder it becomes for attackers to effectively impersonate users. In practice, this means keeping personal data under wraps and ensuring that social media privacy settings are restrictive rather than permissive.
Improved password processes
Passwords aren’t perfect, but they do offer a measure of protection when used properly. For individuals, this means regularly changing passwords and never reusing a password. For businesses, it means enforcing password rules around length, character type, and periodic change.
Advanced authentication methods
SIM swaps can bypass text-based MFA, but they’re less effective against multifactor methods that require physical tokens or the use of biometric scans to determine identity. While these authentication approaches may not stop swaps entirely, they can act as early warning signs that attacks are underway.
Bottom line? SIM swaps are on the rise as attackers leverage social engineering to gain full device access. Stopping the swap means reducing the amount of information users share online, increasing password efficacy, and implementing additional authentication.
