Have you ever lost your mobile phone?
If so, you already know that your mobile provider will happily sell you a new phone and give you a brand new SIM card to activate the handset.
Lo and behold, when you fire up the new phone, it has your old number, so you don’t need to give all your friends and colleagues a new one.
A new phone can take over your old number because the number is actually tied to your SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.
You may also need to get a new SIM from your mobile provider if you switch to a phone that requires a differently sized SIM card to the one in your current device.
Indeed, if you’ve ever done such an upgrade, you’ll know that the old SIM suddenly stops working, leaving you in an “emergency calls only” situation on your old phone…
…and a short while later, the new SIM in your new phone automatically comes alive, at which point your usual calls and text messages start arriving there instead.
The important point here is this: most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM to take over your identity.
The jargon term you’ll most commonly hear for this process is SIM swapping.
SIM swapping and security
When someone steals your phone, a SIM swap is a fantastic security benefit because you can quickly invalidate the SIM in the stolen phone, preventing the crook from racking up calls on your account or from receiving private calls and messages intended for your ears and eyes only.
But if the crook is the one perpetrating the SIM swap, a SIM swap is a serious security liability, because now it’s your phone that goes dead and the crook who gets access to your incoming calls and messages.
You can see where this is going.
Many banks and other online services send out SMSes or make voice calls to give you those one-time logon codes you need to complete sensitive transactions, giving you a level of security that is, at least in theory, stronger than just using a username and password.
The process of using one-off authorisation codes for each logon or transaction is popularly known as 2FA or 2SV, short for two-factor authentication or two-step verification, and it means that your password is no use on its own.
Additionally, even if a crook can steal one of your 2FA or 2SV codes, it’s no good next time, unlike a password that may be valid for months or even years.
But with a fraudulent SIM swap, the crooks have – temporarily, at least – as good as stolen all your 2FA codes: this one, the next one, the one after that, and so on.
Worse still, any SIM PIN or phone lock code you’d applied on your old SIM and your own phone are now irrelevant: the new SIM will have a default PIN, and your own lock code obviously doesn’t apply to the crook’s phone.
Worst of all, your phone is dead, so you can’t even phone your provider to raise the alarm.
Why SIM swaps matter
Crooks have been using SIM swaps for years to perpetrate on-line fraud, typically using their window of opportunity to:
- Change as many profile settings on your account as they can.
- Add new payment recipient accounts belonging to accomplices.
- Pay money out of your account where it can be withdrawn quickly in cash, never to be seen again.
By changing settings on your account, they make it more difficult both for the bank to spot that fraud is happening and for you to convince your bank that something has gone wrong.
After all, once the account has been “claimed” by someone else, apparently with the added security measure of 2FA, you start looking like the imposter when you call up saying you’re the real owner of the account.
Suddenly the ball is in your court to prove you’re the real deal to both your mobile provider and your bank.
Sadly, this scam is still sufficiently commonplace that ActionFraud UK, part of the National Fraud Intelligence Bureau (NFIB), warned about it only last week.
ActionFraud UK refers to this scam as SIM splitting, the only place we’ve ever heard it called by that name, but it’s the same crime: fraudulently persuading a mobile phone shop to re-issue someone else’s SIM, perhaps using fake ID, by guessing at security questions, or by colluding with a corrupt employee. In Australia, you’ll sometimes hear this process called number porting.
What to do?
- Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
- Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a
87X4TNETENNBA. - Use an on-access (real time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s logon page, then springs into action to record what you type while you’re logging on. A good real time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
- Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they are having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service centre in person if you can, and take ID and other evidence with you to back yourself up.
- Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of logon codes.
Before we go, however, don’t forget that switching from SMS to app-based authentication isn’t a panacea.
Malware on your phone may be able to coerce the authenticator app into generating the next token without you realising it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.
If in doubt, don’t give it out!
Policing and preventing unauthorised SIM swaps is hard – as we mentioned above, most mobile phone shops can initiate the process, so that unscrupulous or careless operators put us all at risk. For this reason, the United States National Institute for Standards and Technology (NIST) recently published new guideliness forbidding SMS-based authentication for the US public service.
LEARN MORE: NIST’s new password rules – what you need to know ►
Jim
So, why isn’t there a second-factor auth. for SIM-swaps? Calling your home phone number comes to mind, or email (that’s NOT available to your phone).
Vog Bedrog
Phone providers *should* be performing ID checks to ensure they’re dealing with the legitimate customer – this would be an adequate level of control. Unfortunately, business concerns like retention and a low-friction user experience often supercede this. Government regulation requiring proper checking is probably the only way to clean up activation of SIMs (restriction can be as low-friction as they like, if anyone is concerned about unauthorised use of their phone/number). It shouldn’t be too hard to go into a shop in the unlikely event of a lost or stolen phone, especially as a replacement can then be picked up on the spot.
Jim
To both Vog and Paul,
Unfortunately, both of you are very correct.
But, until the process is tightened up considerably, perhaps our best option is to not save passwords in a phone or an application in a phone. (By phone, I mean any device with a SIM, not just actual phones.)
Paul Ducklin
Usually, there is. Usually, the mobile phone shop is pretty careful, at least it was when I recently swapped my own SIM. Photo ID and further verification, must attend in person, etc. But *I* didn’t authenticate with the mobile network. The bloke in the shop was effectively a “man in the middle”. I didn’t have to convince the mobile phone operator or some network server. I only had to convince him, and he convinced his boss; between them they clicked the button, and that was it. They gave me a blank nano-SIM, I put it in my iPhone, went to a nearby coffee shop…
…by the time I got there and made myself comfortable, the phone had gone live and I was back online.
From what I have heard, one SIM-swap trick kills two criminal birds with one stone: a mule employed by the crooks goes in and asks about a phone upgrade in your name, umms and ahhs, asks for advice on the latest models, chooses a new phone, agrees to a renewed/extended contract, pays the up-front costs with a stolen card, takes the new SIM, exits the store and gets driven to the next shop by his handler to “swap” the next victim’s SIM and steal the next phone.
The idea is to blind or at least to soften up even a fundamentally honest mobile phone shop with a combination of personable social engineering conmanship and the promise of hitting that daily sales target. “Hey, I’ll take a second charger and a nice hardshell case to go with it.” (Phone bling and accessories sell on [auctionsiteofchoice] pretty easily, I have heard.)
The SIM and the device will both get blown off the network as soon as the fraud is uncovered, but if that takes a couple of days the crooks may well have had long enough to cash out and move on.
Angelo Castellano
I changed the PIN on my courier (Bell Mobility) and have them require it before any changes are made. Made it longer than 4 digits. I also made my carrier deliver any SIM’s to the address on file. No in store pickups or shipping to a third address. This may be an inconvenience but worth it,
And don’t place your banking on your phone!
Phil
I like the absurd name for your first car but I’d avoid using obvious dictionary words like ‘tnetennba’…
:)
Paul Ducklin
Probably should have gone for OVER#+744#6NUMEROUSNESS instead.
Paul Ducklin
To the downvoters of @Phil’s comment – the word TNETENNBA (example usage: “I say, that’s a nice tnetennba”) is actually an in-joke from the TV show “The IT Crowd”.
(As is the word OVERNUMEROUSNESS from my reply. Perhaps you had to be there.)
Steven
I bought 2 of the same phones from different people on Ebay. One can not be set to forward off – it will always forwards the calls to the unknown person. The only way to prevent this is to forward all calls to the home phone. The other phone can be set to forward off and be off.
Ashok Karnawat
Company should provide duplicate card against lost card by verifying biometric data of legitimate customer. This way fraudsters can be prevented to access bank account or online purchase by having OTP.