What Is SIM Swapping? How To Protect Against This Scam

A SIM swapping scam can not only take over your phone but can also become detrimental to your financial health as scammers can steal bank logins or data.

What does SIM swapping do? SIM swapping can cause scammers to have control over your phone number. They do this by tricking your phone carrier into activating a SIM card under your phone number, so the scammer now has control over your phone communications, not you.

How Do SIM Cards Work?

If you have a cell phone, you know that subscriber identity module (SIM) cards exist and that they are part of linking that cell phone to your carrier. This card contains a chip containing critical identifying information that allows your device to connect securely to a wireless network. This card must use a device to make calls or exchange data on that network.

Each card contains specific information for identification purposes. This information will usually include:

• Advice of Charge (AoC): This information helps estimate charges based on calls and data usage for display on the device, for information to end users about their upcoming bill.
• Mobile Country Code (MCC): As the name suggests, this code denotes the country you’re calling from.
• Local Area Identity: This number combines the MCC and your telephone number as an identifier on the mobile network.
• Service Dialing Number: Service dialing numbers are provider-specific numbers that a user can call to get specific information–for example, dialing a three-digit number to connect directly to customer service or to get your balance.
• Service Provider Name: The name of your mobile provider (T-Mobile, AT&T, etc.).
• Short Message Service Center (SMCC): This information includes recent SMS texts received and sent by the device.
• Integrated circuit card identifier (ICCID): This is the unique ID number of the card itself, containing (like a credit card number) a significant industry identifier (MII), individual account identification numbers, and a check digit.
• International mobile subscriber identity (IMSI): This number uses the MCC and other information to identify the user on the network. If the ICCID is the unique ID of the SIM card itself, the IMSI is the user’s unique ID.
• Authentication Key: The encrypted key (typically 128 bits) used to authenticate the device on the mobile networks.

As you might have noticed, the SIM card is an essential part of cellular communication and serves as a critical piece of hardware to keep the use of mobile networks secure. Likewise, these cards (and their information) are a dangerous attack surface in the realm of cybersecurity and identity fraud.

What Is SIM Swapping?

If a phone number is linked to a SIM card, then the device using that SIM card controls that number. So, for example, if someone were to take your SIM card and put it into their phone, they’d be able to interact with your mobile account and phone number–regardless of whether or not they have your physical phone.

This is SIM swapping. A hacker uses some form of attack to trick your carrier into switching your phone number from your current SIM card to one in their possession. Once they’ve done this, they control that number, meaning they can send and receive calls, text messages, and other information using that number.

This seems like a tall order, however–even for sophisticated hackers. But with the glut of information available publicly and through peripheral hacks, cybercriminals can construct profiles they can use to steal SIM access.

These avenues of attack include:

• Uncoordinated Breaches: As hackers make attacks against centralized data targets (like those held by major corporations or political agencies and nonprofits), they sell or disseminate your data on dark web networks.

Over time, intelligent hacker groups will compile massive databases where they can connect a user’s information across multiple accounts and platforms.

• Data Scraping: Outside of illegal hacking, many organizations use software to scrape entire websites’ contents. While this data is often public, it can fill in gaps in stolen data sets to help attacks build complex profiles of victims, connecting login credentials, authentication and identity information, and user behaviors across hundreds of systems.
• Social Engineering: Social engineering is still one of the most common forms of attack. A hacker can use information gained elsewhere to trick users and mobile companies to give over information or perform actions against the will of that end user.

And this is how SIM swapping works. A hacker or group of hackers gathers and collates data across public website scraping and data breaches, creating profiles of users across platforms. With enough information, these hackers can begin attempts to contact mobile carriers.

While these carriers will almost always ask security and verification questions to vet their contacts, a hacker with enough information can quickly respond to these challenges. At this point, they can claim that they lost or damaged their SIM card and, having purchased a new one, need to connect a new (the user’s) phone number to that SIM.

With their success, the hacker can essentially circumvent SMS-based MFA measures. If the user connects their email to SMS MFA, the hacker can gain access, lock the account, and use that as a platform for identity fraud and theft.

Protecting Against SIM Swapping Online

With that breakdown, it might seem like protecting yourself against SIM swapping is completely out of your hands. Like any other type of fraud, however, solid approaches to cyber hygiene can minimize this threat.

These include:

• Use Carrier-Specific Protections: Many mobile providers will offer programs that help prevent SIM swapping. These security measures will include additional features in your online account or full-fledged security services added to your accounts. These are good to know and better to implement.
• Adopt MFA Without SMS: If your multi-factor authentication is tied to your SMS (through a one-time password) and your SIM is stolen, then the hacker can use that access to compromise those accounts. It’s better to move to software-based MFA or even passwordless authentication.
• Restrict Usage of Personal Data: It’s understandable to confuse social media with secure media, but in today’s data-driven crime, posting personal data anywhere offers hackers an attack surface.

This isn’t a call for paranoia but a call for responsibility… try to keep personal information, like phone numbers, addresses, banking institutions, or other platforms you use.

• Stay Aware of Social Engineering: When it comes down to it, it’s most likely that if your SIM card is compromised, then it’s probably because they were able to get information from you or your provider.

On your part, stay away from suspicious texts and emails, and if anyone calls representing themselves as your mobile provider, do not believe them. Only trust direct calls to your provider initiated by you using contact information gathered from their website.

Bolster Your Defense Against SIM Swapping with 1Kosmos

So, SIM swapping seems dangerous and complicated to get around. If someone grabs your info and initiates a swap, it seems like the game is up. But this isn’t the case.

Strong authentication built into decentralized apps that avoid SMS and email MFA can ensure that, even if a SIM is compromised, every connected account doesn’t immediately fall. Passwordless authentication can also go a long way toward separating strong authentication from compromised mobile devices without compromising usability.

1Kosmos brings this kind of security to your organization’s authentication systems. With 1Komsos BlockID, you can protect your employee’s devices and accounts in cases where SIM swapping occurs.

With 1Kosmos, you get the following benefits:

• SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
• Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
• Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
• Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
• Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
• Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
• Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Get ahead of strong authentication to prevent SIM swapping with 1Kosmos. Learn more with our SIM Binding Data Sheet, and sign up for our email newsletter to stay educated on 1Kosmos products and developments.

Overcoming Resistance to Change on the Journey to Passwordless MFA

Read More