This might be the first time you have heard of the name “SIM Swap”, or you might have heard stories about it but never really understood the logic behind it. Well let us give you the gist of it today.
WHAT IT IS
In today's clime, most of our day-to-day activities are run from our mobile devices. The shift is subtle, but more and more apps and websites are requiring a mobile number for membership and on-boarding before you can access their services. The phone number then subsequently used regularly to verify your identity when logging into these online accounts.
Phone numbers are a set unique identifiers (numeric) given to you by your service provider. The service provider must however have a way of managing that number in a way that is convenient and favorable to you. That is where the SIM card comes in. The SIM, also known as the Subscriber Identification Module is intended to securely store the International Mobile Subscriber Identity (IMSI) number and its related key. It is this key that is used to identify and authenticate subscribers on mobile telephony devices.
But what happens when a third party gets access to your SIM card? Doesn’t that mean they now have access to all the authentication messages that come to your phone? Quite frankly, YES, that is exactly what that means.
HOW IT HAPPENS
SIM Swapping is a fraud exploit where a malicious actor takes over control of your SIM card. The act requires the criminal to gather personal information around the intended target with the aim using that information to trick the service provider in thinking they are in fact the actual owners of the card. And subsequently take control of it. Crazy stuff.
Most service providers have come up with multiple ways to combat these attacks and safeguard the end user. However, there is only so much they can do. Some service providers have set up procedures such as Secret Words, Voice Confirmations, or PIN Codes to help authenticate users.Have you ever called your service provider and ended up being bombarded with so many questions you lose interest in the service? Those multiple questions are usually their way of verifying that you are the legitimate user of that SIM before attending to whatever issues or complaints you may have.
Different tactics have been used over the years to trick end users into revealing their personal information. The tactics themselves have been summarized as social engineering. Social engineering in brief is any technique used to convince a target that the person they are talking to has their best interests at heart. Once the attacker has the target's trust, they begin to dig slowly about personal data that can be used for verification.
So let’s say the service provider had set up a question verification system where you are to provide a secret word, the attacker would then fool the target into revealing that specific word. The attacker might either opt to call the user using a spoofed phone number and pretend to be the service provider, or they could send a link that directs the user to a page that requests that detail, but not in a direct manner.
Most attacker try to form some sort of bond with their target(s) to gain trust. If this fails, they could change their tactics to pressuring said target under the guise of urgency.
STAYING A STEP AHEAD
To secure yourself it always best to have situation awareness. Most service providers always ensure to have dedicated phone lines when contacting their clients. This way, if a fraudster attempts to call you using a spoofed number you can easily identify and report them. Additionally, if you as a user don’t trust the caller, it’s always advisable to drop the call and contact your service provider using their official channels. It is also advisable to not reveal too much information about your personal life or other sensitive details on social whether or with acquaintances.