You’ve probably experienced the frustration of a smartphone that suddenly dies; usually following a hard drop or software update. But what if only part of it stops working, like the ability to make phone calls and send texts? The problem might not be your phone at all, but cyberthieves who’ve stolen your phone’s identity through SIM jacking.
The subscriber identity module (SIM) is the circuit board that allows your mobile phone to communicate with your cellular carrier. This awesome little piece of technology allows you to buy a new smartphone, move the SIM from the old to the new, and instantly have a working phone. No need to change numbers or re-enter all your contacts! It just knows things, because of the SIM.
Until that SIM is jacked. (SIM jacking is also known as simjacking, SIM swapping and SIM hijacking).
What Is SIM Jacking?
It’s not like carjacking. Cyber criminals don’t need to be anywhere near you (or even on the same continent) to hijack your SIM. They just need enough information about you to convince a person who works for your mobile carrier that they are you.
Where do they get that information? In many cases, they can find it online using search engines and social media. In this business, we call this open source intelligence (OSINT). Or they can purchase it off the Dark Web. Or they can phish you for it. When they have compiled enough of a dossier on you, they simply make a call to your carrier, pretend to be you and say they want the SIM transferred to a new device. Boom, done, your phone is a brick. (OK, a brick that you can play Candy Crush Saga on).
What’s in it for the SIM Jackers?
“So what,” you may be thinking. “Do cyberthieves want to see the 20 texts a day from my mom asking if I’m social distancing?” Not exactly. But they’d be very, very interested in texts or phone calls you get from your bank when you login to your account from a new device for the first time (multi-factor authentication by texts or phone ). Because they have your SIM, those messages and calls will go to them instead, making it far easier to access (and drain) your bank account or other sensitive accounts.
How Common Is SIM Jacking?
Not too long ago, SIM swapping was limited to high-profile, high-return targets, like Twitter founder Jack Dorsey. He was the victim of SIM jacking in August 2019. In his case, it was Dorsey’s Twitter account the thieves were after. They posted offensive messages from his account for about 15 minutes before being discovered and locked out.
But COVID-19 has changed the cybersecurity landscape as criminals look to make the most out of the disruption and isolation that has become the new normal. SIM jacking is becoming more and more common.
What Should You Do if You Suspect SIM Jacking?
Notify your bank and your carrier immediately, as well as any other account locations where you think thieves might be able to do serious damage. If you are an Intrust IT customer, call us ASAP. Our data security experts will work to prevent the hackers from accessing your business accounts with the stolen SIM. You can also visit IdentityTheft.gov for information, especially if you think the cyberthieves may have access to credit card numbers or your Social Security number.
How Can You Prevent SIM Jacking?
The single best thing you can do to protect yourself from SIM jacking is to enable multi-factor authentication (MFA) on all your accounts and use an authenticator app (AA). MFA by AA doesn’t send one-time passcodes (OTPs) to you by text or call your phone number to verify your identity. Instead, you use a specialized app (there are several good ones from LastPass, Microsoft and Authy) on your smartphone to receive the OTP that you are required to enter when you sign in. Authenticator apps are not linked to your SIM. In fact, an AA could be installed on a tablet or PC. If you are using an AA, a cybercriminal would have to have physical access to the device that has the AA on it to get the OTP. In that case, SIM swapping would not give the bad guys access to the OTPs needed to sign in to your accounts. To learn more, visit our Multi-Factor Authentication Guide.
Other steps you can take to improve your SIM cybersecurity include:
- Use a strong, unique password for your mobile account and change it regularly. Don’t include any personal information like your name or birthday. (HINT: These tips apply to all your passwords).
- Ask your mobile carrier to require a PIN code or passcode to make any account changes.
- Never give out personal information to someone who calls, emails or texts you out of the blue. Instead, contact your carrier through the phone number on your bills or their public website. In the business, we call this going “out of band.” Whoever answers will be able to deal with any account issues (or special deals) that the caller wanted to talk to you about, assuming the call was real.
- Beware of email links and phone numbers. Remember that the bad guys can spoof email addresses and phone numbers to make their messages appear more authentic and legitimate. Rollover links to make sure they’re to trusted sites or type in the URL to where you want to go. For phone numbers, see tip #3.
- Don’t share personal information on social media, message boards and other public sites. And be careful where your camera is aiming for those selfies: Sensitive data could be captured in the background.