What is SIM Swapping?
Individuals and organizations are always encouraged to use multi-factor authentication methods, with one of the most popular choices being two-factor authentication (2FA). Almost all of our online accounts require 2FA and this can include everything from bank accounts to social media apps and email addresses. These accounts quite often use a person’s phone number as the second factor. The use of phone numbers as personal identifiers has become problematic, as hackers have begun to circumvent 2FA security measures simply through a SIM swap. SIM swapping then allows them to gain access to practically all of these accounts with 2FA, thereby compromising a person’s financial and private information.
SIM swapping is not the most complicated of attacks. First, the hackers target a specific person and then attempt to uncover enough of the necessary personal identifiers in order to impersonate them with a telephone carrier. For example, the hackers decide to call the targeted victim and impersonate a government agency or their bank. By acting as an official, such as an IRS employee, the hacker can manipulate the victim into divulging confidential information. Once they have the info they need, the hackers move on to the actual SIM swapping. They call the victim’s telephone carrier and pretend to be the victim. They ask the carrier to reroute all calls and messages from the original number to the new one associated with the hacker’s SIM. Now, every call and text message no longer go to the victim’s number and associated SIM, but rather to the hacker. The SIM swap is complete.
The Dangers of SIM Swapping and its Nefarious Goals
The scam does not just stop at intercepting the victim’s calls and messages. SIM swapping gives the hackers access to all of the victim’s accounts which have the original phone number set up as the second factor in 2FA. Whether it is through a password reset or the bypassing of security measures, the 2FA sends out a code/password to the phone number, which is supposed to confirm the account holder’s identity. Since the SIM has been swapped, the code actually allows the hacker to enter any account they wish.
SIM swapping is highly worrisome, especially for public figures, if the hackers decide to post content on social media accounts. However, beyond posting on Twitter or Instagram, hackers can now penetrate banking accounts. If a bank account is connected to a phone number, the account is now vulnerable to hacking. The hackers can further impersonate the victim and, potentially, drain them of their financial and monetary assets.
If your organization uses multi-factor authentication, we encourage you to use more than two factors. However, if 2FA suits your organizational needs, some mitigating steps include using alternative methods of identification other than the use of phone numbers.