Attackers are using SIM swaps to take advantage of SMS-based verification. A recent string of Instagram takeovers, a crypto currency scam costing an investor over $23 million in tokens, and reports of hijackers stealing thousands of dollars from personal checking accounts are all attributed to SIM swapping.
SIM swaps are a type of fraud where hackers steal your mobile identity by switching out your smartphone’s SIM card. In its most basic form, a hacker uses social engineering to manipulate a mobile carrier service rep to switch your phone number to a SIM card the hacker owns. Once this is done, scammers can divert incoming messages and easily break through your two-factor authentication.
Allison Nixon, a threat researcher at Flashpoint, says if a SIM hijacker targets you and has the skills to accomplish the task, there is little you can do to stop them. Proper security protocols on your part will not necessarily prevent your mobile carrier from being fooled. Flashpoint found some instances where SIM hijackers were able to enlist the help of mobile store employees to gain access to protected accounts. To fix the SIM swap dilemma, the role of telephone numbers as a means of identification needs to change.
Until app developers decide on a universal identifier besides the mobile phone number, we must all do our part to make sure our accounts are secure. Mobile carriers offer instructions on how to add PIN numbers and passcodes to mobile accounts, which adds an extra layer of protection. It’s also wise to use an authentication app instead of text message verification, wherever possible.
If your organization has a BYOD (Bring Your Own Device) policy, it’s worth investing in new-school security awareness training that will help employees understand how to protect themselves and the company’s network from SIM swaps. WIRED has the story: https://www.wired.com/story/sim-swap-attack-defend-phone/