Understanding the Dangers of SIM Swapping and How to Protect Yourself
Written on
My tumultuous divorce began with the enigma of a missing SD card. One Halloween, I attempted to capture my daughter posing with an enormous pumpkin, only to be met with an error: “no memory card.”
Panic set in.
I had never even heard of an SD card until I consulted a young employee at T-Mobile about my phone's photo-taking issues.
I had an excuse for my lack of knowledge. At that time, I was married to a tech-savvy partner (who I thought I could rely on after 12 years), and I had no interest in understanding the intricacies of an SD card.
But trust turned out to be misplaced.
My tech-savvy husband engaged in an affair with someone he met at our daughter’s preschool.
Betrayal? CHECK.
By taking my SD card, he also erased my cherished memories.
Eight years later, I still wonder what he expected to find on the SD card of a mother, exhausted and burdened with the demands of a toddler.
Now, I understand what an SD card is, yet I still lack the photos that were stored on that card he took from my phone.
Fast forward to this past Halloween, eight years later.
While driving, I overheard an NPR segment about an individual who fell victim to SIM swapping.
My interest was piqued.
By the conclusion of his tale, I felt fortunate that only my SD was taken, as SIM swapping poses a far greater threat. It’s not just memories — photos and music — you lose; you lose your entire mobile identity, including your phone number.
What is a SIM card?
A SIM card differs from an SD card, although both are integral to mobile devices.
According to justaskgemalto.com, a SIM card is described as:
> "SIM cards are primarily designed to connect you to a mobile network, allowing a user to use the communicative functions of a mobile. On the other hand, Micro-SD cards are designed to store information that cannot be held on a phone’s handset. These memory cards can be used to hold downloaded music, apps, or pictures."
If you own a smartphone, you have a SIM card. This card is linked to the phone number provided by your chosen carrier, such as T-Mobile, AT&T, Sprint, and others.
What is SIM swapping?
SIM swapping occurs when someone persuades your mobile carrier to transfer your number to a SIM card in their possession.
Once this is done, the scammer gains access to your text messages, phone calls, and anything else tied to your phone number, including verification codes sent by various online services for password resets.
You, on the other hand, will receive nothing.
Although SIM swapping is an old scam, the stakes are now higher. Your phone number serves as the gateway to receive authentication texts for accessing apps, banking, cryptocurrency, social media, retirement accounts — essentially, your entire online existence.
The consequences can be devastating for every account linked to your phone number, which is typically all of them.
When scammers control your incoming calls and texts, they can bypass the text-based two-factor authentication designed to protect your most sensitive accounts.
The potential rewards of the SIM swapping scam encourage scammers to impersonate you when contacting your carrier. They concoct convincing stories, such as, “My phone was stolen, and I need to transfer my number to a new device.”
They impersonate you.
If the attacker possesses any of your personal data that could verify their identity as yours, they can seize your phone number and access any account that uses your number for authentication.
Phone numbers — a form of ID
Today, phone numbers are valuable as a form of identification, which creates significant vulnerabilities.
What’s even more alarming? There’s little you can do once a scammer takes off with your digital identity.
Allison Nixon, head of threat research at the security firm Flashpoint, states, “In most cases we've encountered, a sufficiently determined attacker can take over someone’s online footprint. Phone numbers were never meant to serve as identity confirmations. Phone companies were never intended to be identity document providers; it was imposed on them.”
Dishearteningly, Flashpoint has detected online activities suggesting that organized efforts employ insider recruitment at retail levels to execute SIM swaps.
SIM hackers have even gone as far as hiring “helpers” from customer service roles within mobile carriers, ensuring they have insider assistance in their schemes.
High-profile scammers target cryptocurrency investors, where substantial gains await, often conducting months of research on their victims before executing the swap.
Gregg Bennett, a businessman from Washington state whose story I heard on NPR, had his Bitcoin account compromised. The SIM swapper made off with 100 Bitcoin, which at that time was worth around half a million dollars, all in mere minutes.
What can you do to protect yourself?
Sadly, complete protection against SIM swapping is currently unattainable. It can happen to anyone, especially while insider threats (employees at carrier companies assisting attackers) persist.
Nevertheless, companies are beginning to take this threat more seriously, largely due to lawsuits from SIM swapping victims.
The primary issue not being addressed is our reliance on phone numbers as part of our identity, which exposes us to cyber threats.
How to safeguard against SIM swapping:
- Set up an additional PIN with your carrier. Some U.S. carriers allow you to establish a PIN or passcode for your mobile account and SIM card, adding a crucial layer of security. The hacker would need this information to transfer anything to a new device.
- Transition to app-based two-factor authentication. Use applications like Google Authenticator or Authy, which are free. These apps provide an extra login code for your accounts — an additional defense. As noted by Wired.com, they also “link it to your physical device rather than the phone number assigned by the carrier. They display a six-digit code that updates every 30 seconds, maintaining synchronization with the services you connect to.”
- Utilize a hardware token. A physical hardware token like the YubiKey offers two-factor authentication through a physical device. This key must be connected to your phone or computer for account access. The authentication code is embedded in the hardware and generates new codes when connected. This is among the most secure methods, as a SIM swapper would need to physically steal the token to access your identity.
- Stay alert for phishing scams. Phishing attempts often use emotionally charged emails to entice you into clicking links and entering login information on fake sites mimicking familiar ones, such as AT&T, to steal your credentials.
- Adopt encrypted messaging. Use encrypted messaging platforms like Signal, iMessage, or WhatsApp instead of SMS. SMS lacks encryption, while these services ensure your messages, including two-factor authentication codes, remain secure and private.
- Create a secondary phone number. Consider acquiring a secret phone number solely for receiving two-factor authentication codes, or use Google Voice, which is free.
- Limit personal information on social media. Refrain from sharing details like your birthdate or mother's maiden name, as scammers often scour social media for information to authenticate you.
How to recognize if you’ve been SIM swapped?
If your phone suddenly malfunctions, messages fail to send, and you lose access to your accounts, it’s crucial to act quickly to prevent further account takeover.
Gregg Bennett sensed something was amiss when he struggled to access his email and found his phone unresponsive. He is currently in arbitration with AT&T.
He suspects his SIM swapper was located on the East Coast.
When asked why he believed this, he informed NPR, “When I finally regained access to my phone, I received a text asking how my service was at the AT&T store in Boston.”
Join my email list here.
Jessica is a writer, an online entrepreneur, and a recovering type-A personality. She resides in Los Angeles with her outgoing daughter, two dogs, and two cats.