A SIM swap - also known as SIM porting - is not inherently fraudulent. Telecom providers created this process so that consumers could easily move an existing phone number to a new SIM card. This is helpful in cases where consumers are upgrading to a new phone or replacing a damaged or lost SIM card.
Because this is a data sensitive process, consumers are required to contact their provider, answer questions, and provide account information that verifies their identity before the provider will authorise the SIM swap. However, this is no obstacle for hackers, as proven by last week's hijacking of Twitter's CEO Jack Dorsey account through SIM swapping, in a string of SIM swapping attacks on Internet celebrities.
What is SIM Swap Fraud?
SIM swap fraud is when someone takes advantage of this service in order to port an individual’s phone number to a phone within the hackers control. When this happens, all of the incoming texts and phone calls intended for the victim will be routed to the attacker.
Not only is this a major breach of privacy, but it also allows the attacker to take advantage of yet another feature intended to keep smartphones secure - two-factor authentication. Two-factor authentication (2FA) is a service that businesses can implement that requires consumers to provide two layers of identification in order to access their accounts. In most cases, this includes entering a password and then entering a code texted to the person’s phone.
Well, once the hacker has the victim’s phone number, they can use 2FA to crack into a person’s online accounts, eventually making their way into an account with financial resources.
A timeline of SIM Swap Fraud
Sadly SIM swap fraud is on the rise, which is why it’s increasingly essential for businesses and consumers alike to understand exactly what to look out for.
But thankfully, as with everything, knowledge is power. So here’s a rundown of how SIM swap fraud pans out in practice, to help you know exactly what to be vigilant of.
1. The initial port
The first step in a case of SIM swap fraud is the initial port. This is when the hacker first moves the victim’s phone number onto a mobile device in their control. But how is this achieved?
Like we mentioned in the beginning, in order for a legitimate SIM swap to be authorised, a consumer has to first verify their identity to their mobile carrier. This is required before giving anyone is given the ability to move a number to a new SIM.
Unfortunately, this is not a fool-proof way to ensure that only the SIM owner can swap their phone number. So long as the hacker has sufficient information to pass the verification tests (it could even be as simple as having the answers to security questions or a four-digit PIN) they can get permission to port a number to a new SIM. All the victim will experience is a lack of cell service, which might not even be noticed if the victim is asleep, at work, or using a WiFi instead of mobile data.
2. The hacker gains access to a primary account
Once the hacker has the phone number, they’ll generally move on to cracking into a valuable account as quickly as possible. Most accounts with financial resources tied to them require more than a reset password link or 2FA code to access, though. So, in order to gain access to one of these accounts, the hacker will likely start with a primary account.
An example of a primary account would be a Google account, Apple account, or an email that the rest of a person’s accounts are tied to. With access to one of these primary accounts and a person’s phone number, the hacker can fairly easily get into the rest of the victim’s online accounts.
3. The attacker gains access to an account containing financial resources
Now that the hacker has access to the victim’s primary account, gaining access to the rest of their accounts is relatively simple. All they have to do is go through the password-reset process for the accounts they want to hack into, follow links, and copy verification codes. Once they’ve done this, they’ll have direct access into an account that is tied to the victim’s finances - generally a bank account.
From here, it’s not too difficult to imagine what happens. The victim’s funds are moved into the hacker’s accounts, withdrawals are made, desired goods are purchased, and so on.
Not only does the victim lose some or all of their finances at this point, but they also have lost access to their most valuable online accounts. Recovering these, without their phone number or email address, can be difficult - if not downright impossible.
4. The victim realises what has happened
It might take a few hours, maybe even a day, but at some point the person affected by a fraudulent SIM swap is going to realise that they no longer have access to cellular data or their most valuable online accounts. None of their passwords work, they can’t check their email, and their credit cards are suddenly being declined everywhere.
All they can do at this point is contact their telecom provider and their bank and see what can be done, if anything.
So, what now?
SIM swap fraud is one of the fastest going forms of fraud across the world, as it’s low risk with potentially very high reward. If you’re worried about keeping your customers protected against the risks of SIM swap fraud, consider switching to a secure provider like JT, that has invested in creating reliable, proven defence mechanisms against SIM swapping.
To help you better understand SIM swap, we compiled a simple infographic. Take a look to learn more on the topic.