Security

SIM Swapping: What to Know about This Disturbing Cyberattack

By Marco Muto

7 May, 2019

You’re sitting at your desk, and you decide to make a phone call. You’re choosing what to eat for lunch. You pick up your phone and decide you’re going to text a coworker to see where to go. Unfortunately, you don’t have a signal on your phone. You notice your phone displays an error stating there’s no SIM card.

This could be a minor error with your phone’s software—or it could be the beginning of an extremely damaging cyberattack known as SIM swapping. At this point, a cybercriminal could be breaking into your bank account, email account, or online storage. And if you have access to critical systems for your business, such as a corporate bank account or access to the corporate social media accounts, the cybercriminal could easily start to ruin your business.

Managed services providers (MSPs) and managed security services providers (MSSPs) in charge of their customers’ security need to know how to deal with these attacks. While you can’t completely eliminate the threat, there are steps you can (and should) take to stay safe. But first, it helps to understand how these attacks occur.

Anatomy of SIM swapping

SIM cards store basic information about the subscriber, such as their phone number, carrier information, billing information, and in some cases, address books and contacts (note that this isn’t the case with some phones). Phone providers offer the ability to swap SIM cards for convenience—if a customer loses their phone or if their phone was stolen, this allows the original owner of the phone to recover their phone number and transfer the service to a new device. However, cybercriminals can attempt to impersonate a phone owner, transfer their number to a new SIM card, then use this to break into personal accounts like banking or social media.

SIM swapping often starts with the cybercriminal doing some reconnaissance to discover personal information they can use in the attack. A lot of the information they’ll need is publicly available, like the victim’s name, home address, and phone number. They can often get social security numbers or account user names by gaining information from previous mass data breaches. However, they may also try email and text phishing scams to get even more info.

Once they have enough personal information, they call the cell phone service provider, claim to be you, and ask them to transfer your phone number to a new SIM card. Since the criminals have already done some upfront recon work, they can answer security questions well enough to successfully fool the support line for your phone provider. Not all SIM swap attacks involve impersonation, though—sometimes an employee for the phone provider will initiate the swap.

At this point, they’ll receive all phone calls and text messages to the phone using the transferred SIM card. This is where the bad stuff starts happening. If they have your credentials and need 2FA to get into an account, they’ll receive the text messages and get in immediately (and don’t forget—with people often reusing passwords and credentials across accounts, getting someone’s password can be way too easy). They can also use password resets on accounts and receive temporary codes via SMS to change your accounts.

After that, it depends on their goal. Some SIM swappers have stolen social media accounts, especially Instagram accounts, changed the personal info on the account to make it almost impossible for the original owner to recover, and sold the usernames to third parties. Some have broken into Instagram accounts of celebrities to leak personal photos. They could change your email account’s password, then start compromising other linked accounts such as bank accounts or online shopping accounts. They could do all of this and start extorting you for money. One SIM swapper successfully stole over $1 million USD in cryptocurrencies.

Protecting your clients

These attacks are notoriously difficult to deal with. The weak link here is the phone provider, as they’re the ones allowing the SIM swap to occur. However, there are still precautions you can take.

First, for any mobile device you’re in charge of managing, meet with the mobile service provider and have them require a designated person to physically enter the store with proper identification before making a SIM swap. You should do this on your personal devices, too.

Second, remember that SIM swapping often kicks off another type of attack. Once someone has a customer’s mobile device, they will use that to break into other accounts. Wherever possible, consider using an authenticator app like Google Authenticator or Authy instead of SMS-based 2FA. Some services offer these options while others don’t. Additionally, you could consider using physical hardware tools for authentication, such as YubiKeys or other USB-based tools, which requires users to physically possess a separate authentication device to get into an account.

Third, keep your own security house in order. Request that any employees for your MSP or MSSP follow these guidelines on personal devices. Imagine what could happen if a tech on your team fell victim and the attacker ended up with access to your email or RMM system. That could spell bad news for your customers as well (and your business as a whole).

Finally, user-awareness training can add an additional layer of security. Teach employees to be on guard against email or text-based phishing attempts or any unrequested 2FA messages they receive. This could be the start of the recon phase, where the criminal attempts to gain enough information to kick off a successful attack. Additionally, train employees to recognize the signs of a potential attack, such as an inability to send or receive calls or text messages or a message that their SIM card is missing. It’s worthwhile teaching them about authenticator apps like Google Authenticator so they’re aware of the flaws of current authentication schemes and know to protect accounts where stronger 2FA options are available.

Keeping your accounts safe

SIM swapping has become increasingly common over the past few years. This attack doesn’t require sophisticated scripting—it often requires just a little bit of background information on the victim to launch a devastating attack. However, with some upfront preparation, you can hopefully prevent the attack—or at least minimize the damage.

Additional reading

Marco Muto, director, Business Development at SolarWinds