SIM swapping: what you need to know about this growing threat

SIM swapping

If you’re like most Americans, you probably don’t really interact with SIM cards all that much any more. Unless you’re traveling abroad and need to swap a SIM card out to connect to that foreign network, you might not even know where the SIM card is on your iPhone or Android device. But, that simple, tiny piece of plastic could represent one of the biggest security vulnerabilities you’re currently facing. SIM swapping is on the rise, and it could lead to irreparable financial and identity repercussions if not guarded against.

SIM swapping: what is it?

The SIM card is a small plastic chip inside your phone that instructs your device which cellular network to connect to as well as which phone number to respond to when called or texted. Unlike what it might sound like, SIM swapping doesn’t require a threat vector to actually gain physical access to your phone and switch out the SIM card inside of it. Instead, SIM swapping typically requires a hacker to call the phone company and leverage any personal information they have about you to convince the phone company they are actually you. This can come through data breaches or hacks, public records searches, information gleaned from your social media, etc. If the hacker is able to successfully convince the customer service rep they’re you, the hacker then requests a redirect of all inbound cellular traffic to a SIM card they have in their possession.

Once your phone number is assigned to a new card, they’ve got you.

Why does SIM swapping matter so much?

So what if they have my phone number, though? While it might be annoying to miss calls from your significant other or family, how much damage can hackers actually do with that, though? As it turns out — a ton. Most of us don’t use biometric authentication or true authenticator apps as our two-factor verification for sensitive access like bank accounts or email — we use our phone numbers. Those six-digit codes texted to you by your bank or investment broker or email client for two-factor verification? If those texts are going to another SIM card in the possession of a hacker instead of to your device, all your two-factor protection doesn’t matter one bit. From a financial and identity security perspective, it’s one of the worst possible breaches because so much damage can be done in such a short period of time. And according to a prominent researcher, gaining said access isn’t as hard as you might imagine.

So what to do?

The number one thing you ought to do is immediately move away from SMS-based two-factor authentication toward app-based codes. You can use Okta, Google Authenticator, or a solution from a password management service like LastPass, which also has an authenticator app secured by its larger cybersecurity infrastructure.

Ultimately, for business owners and leaders, monitoring and implementing cyber security defenses across the entire enterprise that can stand up to aggressive, disastrous breaches like these are outside their area of core competency. That’s where we come in. If you want a threat-readiness assessment, or are ready to partner with the experts in managed cyberdefense services, please give us a shout today.