SIM Swap Scams and Simple Solutions

SIM swap scams are everywhere, and it is all too easy to become a victim of them. Although SIM swapping sounds technical, it is actually a form of social engineering, which means hacking humans instead of hacking technology.

Valentina Flores

November 17, 2021

Say that 5 times fast. SIM swap scams are everywhere, and it is all too easy to become a victim of them. Even Twitter CEO Jack Dorsey fell victim to this simple attack last August. If tech giants are vulnerable, so are we normal people. 

Although SIM swapping sounds technical, it is actually a form of social engineering, which means hacking humans instead of hacking technology. And this specific scam has very serious results, as it can give an attacker access to your bank accounts, cloud storage services, and more. The main use of this technique is to bypass MFA (multi-factor authentication), which we’ll talk more about. 

Where did this scam come from? In the criminal world, the SIM swap scam is a relatively new attack technique seen over the past five years. In fact, in 2019, Joel Ortiz was the first person convicted of this crime, which was just two years ago. But in the ever-changing hacking world, five years can be a lifetime. 

If malicious hackers have been using the same technique for five years, why is it still working? Why haven’t we created some technology to stop it? 

Because the weak link is once again humans. But this time, it’s some stranger who works for your cell phone provider that may be leaving you vulnerable. Fortunately, there are simple things you can do to stop yourself from becoming a victim of these scams.

What is a SIM Swap?

First off, SIM stands for Subscriber Identity Module. Although you have a physical cell phone, your service (including text messages and calls) is attached to your phone number. Think about it: you text a phone number, not an iPhone serial number. This is why you may have the same phone number for 20 years, even though you’ve upgraded phones three times. SIM swapping scams are when malicious hackers transfer your phone number to their device instead. 

This can be done a couple of different ways. First, an attacker can call your service provider and pretend to be you, convincing the customer service representative to switch the account over to “your” new phone. Second, they can pretend to be a store employee, which bypasses some authentication checks if they are convincing. For example, they may call customer service and say something along the lines of “Hey, this is Brian over at Store #132 and the system is having trouble switching over this account.” This tactic may not work on the first person, but on the 30th person, it probably will. Third, some bad actors simply work with someone in this position, who can switch accounts with ease.

Relatedly, a port-out attack is when an attacker creates an account with a new carrier in your name and has your phone number switched over. For example, if you have an account with AT&T, an attacker may go to Sprint and impersonate you, creating a new Sprint account. 

Once your account is linked to the hacker’s device, the rest is easy. MFA (multi-factor authentication) becomes useless, because they can intercept the verification code the bank is sending. In addition, because most people have account logins linked to phone numbers for backup, these criminals can reset your passwords altogether.

Once they’re in your accounts, they can steal, ransom, disclose, or do whatever they’d like. 

A better way to MFA

First things first, although SIM swapping is a way to bypass MFA, multi-factor authentication is still very important for your security. So go turn it on everywhere. It may take a few extra seconds at sign-on, but that is far better than getting hacked.

Now, is there a better way to use MFA? Yes. 

  1. Stronger passwords. I’m personally a huge fan of LastPass, which creates and remembers long, randomized passwords for you, which are harder to hack.
  1. Get rid of SMS (text) authentication. Look into using an authenticator app like Google’s or Microsoft’s. It is not tied to your texts, so when Wells Fargo sends you a code to verify your identity, it appears in the app instead of your text messages. The benefit here is that even if a bad actor gains access to your messages, they can’t see the verification codes. However, the app itself can always be hacked, so there’s that. In general, I think hacking people is easier than hacking technology, so it provides a little more defense.
  1. Use Universal Two-Factors (U2F). If you’re serious about your password security, try a U2F, which were actually developed by companies including Google and Microsoft (to be better options than their apps mentioned above). A U2F, such as Yubikey or Trezor, is a physical USB that allows you to log into your accounts. Your private key and personal information will never be sent into cyberspace, which makes this unique. Yubikey is very user-friendly and is a great option to use in combination with LastPass.

No method is perfect, but these options can help keep your accounts a little more secure. 

Create a PIN on your mobile account

All the major carriers now allow you to set a PIN which is required to access your account. So go do it right now! The process is very simple. You can do this online via your account page or contact your carrier directly. This simple fix doesn’t solve the issue if the malicious hacker is using an inside man, but it will help prevent the social engineering. 

Businesses are at risk, too

Companies are not safe from SIM swap scams. Business and personal phones are so intermingled that these verifications for company accounts are often sent to personal devices. 

For example, if an employee has access to the business’ AWS (Amazon Web Services) account and is the victim of this type of scam, the hacker can then gain entry into the AWS account. If that user has access to all of the company’s source code, guess what… so does the hacker. This is where user-permissions are critical. Only grant access to company resources on a need-to-have basis.

In addition, there are tools, such as Red Sentry’s Continuous Cloud Scanner, which can track misconfigurations that can leave you vulnerable.

For example, when we talked about the importance of authentication, these tools can tell you which specific users have MFA disabled. So go track these users down!

Summary

SIM swap scams are just one example of a technique used to gain access to your personal information, money, and more. We can never protect ourselves 100% from malicious hackers, unless we go live in a bunker. But the goal is to lock as many doors as possible, to make unauthorized entry harder. 

So go spend 5 minutes today to keep from becoming a victim: 

  1. Download LastPass and look into a U2F option
  2. Turn on your MFA
  3. Use a PIN code on your mobile account. 

These simple solutions can make a world of difference. 

Valentina Flores

CEO, Cybercrime investigation, product implementation specialist, and enterprise program management. University of Florida BA, WGU MS


Red Sentry is an enterprise cloud penetration testing, asset tracking and monitoring platform designed to save time, operationalize security, and reduce costs.

+1-888-337-0467

Get in touch with us!

48 HOUR PENTESTS !

Now Available! External, Cloud, Web App, and more!