Sim swapping attacks are becoming a growing and significant cybersecurity threat to all of us.
When we think of cybersecurity, we think about keeping data and financial assets safe from potential cyber-attackers. This may be in the form of creating passwords to keep your online accounts safe such as your email, bank accounts, credit cards, social media, Netflix, and so on. Hold that thought for a moment and now think about your mobile phone.
If you lost your mobile phone you can begin to imagine the impact it will have on your life. Contacts, social media accounts, email accounts connected, photos, and so on all gone. If you’re lucky you’ve done a recent backup, so all is not lost, but still, it’s the inconvenience and cost it has to you that’s equally as annoying.
And besides the physical device which can be replaced, do you think about how safe your phone number is? How easy it is for someone to impersonate you with your network provider and transfer your phone number to another sim card all without you realising until it’s too late?
Yes, that’s right! Your phone number is at risk of cyber-attack and not just your physical device.
Sim swapping cyber-attack – what is it?
This type of cyber-attack has been around for some time and is becoming much more widespread and common knowledge as high profile cases are published in the media. In simple terms, a sim swapping cyber-attack begins by the cyber-attacker convincing your mobile phone network that they are you. The next step is to convince your mobile phone network provider to transfer your phone number to their sim card that they own. Once the transfer completes incoming messages are diverted to the scammer rather than you, and your phone goes into ‘no network’ state.
So, to clarify, an attacker doesn’t even need your physical device to access those all-important two-factor authentication codes your online banking and other accounts send out to your phone number to authenticate you are who you claim to be. Quite simply, cyber-attackers can take over your phone number and impersonate you from virtually anywhere.
What is the risk?
The risk varies depending on the purpose of the attack. It could be to gain access to your Instagram account or more seriously your bank account to move funds, leaving you penniless.
If they gain access to your bank account, they could transfer money from your account to another account. Your bank’s security systems would not necessarily flag it up as suspicious if the text-based codes sent to the registered phone number have been entered correctly in their systems.
Secondly, they can use your phone number to trick services into sending your password to the registered phone number such as account recovery and forgot password methods.
How successful are sim swapping attacks?
The level of effort required by a cyber-attacker is quite high; hence, they typically target a specific person in mind. This is through social engineering and with a target person in mind (someone they know has something they want, so the reward far outweighs their effort and risk).
Real cases of sim swapping attacks
Here are some actual instances of sim swapping attacks: –
- Twitter CEO Jack Dorsey gets his very own Twitter account hacked.
- Michael Terpin, an entrepreneur and cryptocurrency investor, had $23.8 million worth of cryptocurrency tokens stolen.
- Selena Gomez’s Instagram account was hacked, and nude pictures were posted on her timeline.
Preventative measures you can take
It is worth noting that with the best endeavours in the world, nothing is fool proof, but you can take all the necessary steps to make it much harder for the cyber attacker.
Here are some steps you could consider implementing: –
- Registering a passcode or password on your network provider account, so change requests to your network provider cannot be carried out without the code.
- When sending messages where possible use communication apps such as WhatsApp as these are encrypted messages (SMS is not encrypted).
- Avoid storing everything on your mobile phone. Social engineering attacks can result in the attacker knowing everything about you at their fingertips!
- Do not link bank accounts to your mobile phone.
- Never give out your passcodes/pins/passwords to anyone.
- Use two-factor authentication such as Google Authenticator, facial recognition, voice recognition, etc. to add that extra layer of complexity to your accounts and data. Using an alternative method like Google Authenticator ties the 2FA to the physical device and not the phone number that your mobile network assigns to you.
Find out more
To find out more about keeping your organisation one step ahead of cyber-attackers, contact MMRIT. Our cybersecurity suite of services is designed to identify risks, monitor and manage to minimise the threat.