Account takeover with SIM swapping and defenses against it

SIM swapping is an infuriating attack, involving deceit and call center employees. Con artists contact mobile providers and use convincing pre-rehearsed speeches to impersonate other people. Masquerading as other individuals allows crooks to take over phone numbers and use them for scams. For instance, verifying access during the two-factor authentication step. SIM swapping happens externally, meaning that it barely reflects the internal protection you have. However, there are workarounds and effective tips for regular netizens to take into account.

What is SIM swapping?

SIM swapping is a fraudulent technique to take over users’ phone numbers and use them to complete two-factor authentication. Scammers call mobile service providers directly and impersonate one of their clients. Their purpose is to convince the person on the other end to switch a phone number to a SIM card owned by crooks.

A Princeton University academic study revealed that five US telecom companies operate according to poorly-structured verification policies. According to researchers, customer support followed the existing protocols that are not immune to SIM swapping attempts. For instance, mobile providers require clients to answer several personal questions.

However, con artists can mislead operators by explaining that they accidentally provided incorrect details during registration. Another common verification step was for the client to present the last two records in their call logs. Unfortunately, con artists can stage this by contacting the actual owners and urging them to call specific numbers. Hence, after coming through these tests with flying colors, scammers can implement SIM swapping.

Steps of SIM swapping

1. Con artists pick a target, potentially a person with access to valuable accounts.
2. Crooks might send fraudulent messages to the victim, or learn some basic information about them. These actions are for passing the authentication tests from the mobile providers’ staff.
3. The scammers finally call the mobile provider to start their SIM swapping attack. They impersonate victims and insist that the company moves targeted phone numbers to other SIM cards.
4. After convincing the customer support specialists of their identity, hackers wait for the service to assign a phone number to the SIM card they own.
5. They use the phone number to complete two-factor authentication and take over accounts.
6. Finally, with full access to digital services and websites, con artists can steal data, make fraudulent transactions, or perform other devious actions.

You have become a victim: how to respond?

A SIM swapping technique can be extremely devastating if not detected in time. Accounts you own are no longer in your control. Hence, you should pay attention to logins to your accounts from new devices and locations. If the attack is in full swing, here are the steps you should take:

1. Contact your mobile service provider. Insist that they return your phone number or block it temporarily.
2. You might need to visit the telecom company in person to pass authorization procedures.
3. Be vigilant and record all conversations with the mobile service provider. They might not be eager to offer compensations for their mistake. Hence, make sure to gather some proof of their inadequate verification procedures.
4. Once the mobile provider agrees to reverse the SIM swapping attack’s effects, run through all accounts related to your phone number. Did you set a two-factor authentication mechanism to send you verification messages or initiate phone calls? After a SIM swapping incident, check whether hackers accessed them. Look for signs of their activity (such as adding their phone numbers or changing passwords).
5. Call your mobile service provider again and request that they not agree to make any changes to your account via phone call.
6. If necessary (for instance, you suffered damages), contact law enforcement agencies about this SIM swapping scam. Provide all the evidence possible and list the actions you took post factum.

How to protect your accounts from SIM swapping attacks?

Mobile service providers need more strict guidelines and verification processes when communicating with clients over the phone. Here are the recommendations you can take to prevent con artists from targeting you with SIM swapping scams:

• Consult your mobile service provider about the SIM swapping attacks. Inform them that changes to your account are viable if you request them in physical stores, with correct identification.
• To prevent attacks, you might opt not to use your phone number for two-factor authentication. As an alternative you might use authenticator apps.
• Regularly clean your Google Drive to get rid of sensitive information. So, do not store confidential data for longer than necessary.
• Choose strong, non-repetitive passwords for your accounts. SIM swapping hopes to workaround two-factor authentication. However, if your passwords are difficult to crack, they won’t be able to get to this verification step. Password managers are an excellent tool for keeping your combinations organized.
• To avoid getting targeted by SIM swapping attacks, become an anonymous user of the web. You can minimize the risks of ending on the hackers’ radar. Do not sign up for random websites, avoid logins via social media accounts and public Wi-Fi spots. Additionally, a VPN (Virtual Private Network) conceals your digital identity, browsing, and other actions from all internet communities. While it won’t stop SIM swapping, it will serve you as camouflage to make you less noticeable online.