Have you ever lost your mobile phone?
If so, you already know that your mobile provider will happily sell you a new phone and give you a brand new SIM card to activate the handset.
Lo and behold, when you fire up the new phone, it has your old number, so you don’t need to give all your friends and colleagues a new one.
A new phone can take over your old number because the number is actually tied to your SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.
You may also need to get a new SIM from your mobile provider if you switch to a phone that requires a differently sized SIM card to the one in your current device.
Indeed, if you’ve ever done such an upgrade, you’ll know that the old SIM suddenly stops working, leaving you in an “emergency calls only” situation on your old phone…
…and a short while later, the new SIM in your new phone automatically comes alive, at which point your usual calls and text messages start arriving there instead.
The important point here is this: most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM to take over your identity.
The jargon term you’ll most commonly hear for this process is SIM swapping.
SIM swapping and security
When someone steals your phone, a SIM swap is a fantastic security benefit because you can quickly invalidate the SIM in the stolen phone, preventing the crook from racking up calls on your account or from receiving private calls and messages intended for your ears and eyes only.
But if the crook is the one perpetrating the SIM swap, a SIM swap is a serious security liability, because now it’s your phone that goes dead and the crook who gets access to your incoming calls and messages.
You can see where this is going.
Many banks and other online services send out SMSes or make voice calls to give you those one-time logon codes you need to complete sensitive transactions, giving you a level of security that is, at least in theory, stronger than just using a username and password.
The process of using one-off authorisation codes for each logon or transaction is popularly known as 2FA or 2SV, short for two-factor authentication or two-step verification, and it means that your password is no use on its own.
Additionally, even if a crook can steal one of your 2FA or 2SV codes, it’s no good next time, unlike a password that may be valid for months or even years.
But with a fraudulent SIM swap, the crooks have – temporarily, at least – as good as stolen all your 2FA codes: this one, the next one, the one after that, and so on.
Worse still, any SIM PIN or phone lock code you’d applied on your old SIM and your own phone are now irrelevant: the new SIM will have a default PIN, and your own lock code obviously doesn’t apply to the crook’s phone.
Worst of all, your phone is dead, so you can’t even phone your provider to raise the alarm.
Why SIM swaps matter
Crooks have been using SIM swaps for years to perpetrate on-line fraud, typically using their window of opportunity to:
- Change as many profile settings on your account as they can.
- Add new payment recipient accounts belonging to accomplices.
- Pay money out of your account where it can be withdrawn quickly in cash, never to be seen again.
By changing settings on your account, they make it more difficult both for the bank to spot that fraud is happening and for you to convince your bank that something has gone wrong.
After all, once the account has been “claimed” by someone else, apparently with the added security measure of 2FA, you start looking like the imposter when you call up saying you’re the real owner of the account.
Suddenly the ball is in your court to prove you’re the real deal to both your mobile provider and your bank.
Sadly, this scam is still sufficiently commonplace that ActionFraud UK, part of the National Fraud Intelligence Bureau (NFIB), warned about it only last week.
ActionFraud UK refers to this scam as SIM splitting, the only place we’ve ever heard it called by that name, but it’s the same crime: fraudulently persuading a mobile phone shop to re-issue someone else’s SIM, perhaps using fake ID, by guessing at security questions, or by colluding with a corrupt employee. In Australia, you’ll sometimes hear this process called number porting.
What to do?
- Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
- Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a
- Use an on-access (real time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s logon page, then springs into action to record what you type while you’re logging on. A good real time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
- Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they are having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service centre in person if you can, and take ID and other evidence with you to back yourself up.
- Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of logon codes.
Before we go, however, don’t forget that switching from SMS to app-based authentication isn’t a panacea.
Malware on your phone may be able to coerce the authenticator app into generating the next token without you realising it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.
If in doubt, don’t give it out!
Policing and preventing unauthorised SIM swaps is hard – as we mentioned above, most mobile phone shops can initiate the process, so that unscrupulous or careless operators put us all at risk. For this reason, the United States National Institute for Standards and Technology (NIST) recently published new guideliness forbidding SMS-based authentication for the US public service.
LEARN MORE: NIST’s new password rules – what you need to know ►