Stopping SIM Swapping: Tips for Consumers & Mobile Carriers

Stopping SIM Swapping: Tips for Consumers & Mobile Carriers

Mobile phone SIM swapping attacks are skyrocketing. In the U.S. alone, it’s estimated that consumers lost nearly $70 million to SIM swapping in 2021, while in Spain, the National Police recently arrested eight people accused of participating in a crime ring that drained bank accounts in a spate of SIM-swapping attacks. The problem is so pervasive that Microsoft has warned consumers not to use phone call or SMS-based multi-factor authentication (2FA).

What Is SIM Swapping?

SIM swapping, also known as SIM hijacking, SIM jacking, or SIM splitting, is a type of account takeover (ATO) attack where cybercriminals get a victim’s mobile phone number transferred to a new SIM card. SIM swapping attacks typically play out in one of three ways.

  1. Phishing attacks against consumers. Here, cybercriminals use phishing to obtain mobile customers’ personal identifying information, then use this information to impersonate the customers and convince mobile carrier employees to issue new SIM cards with the targeted phone number. This is how the attacks in Spain were perpetrated.
  2. Phishing attacks against mobile carriers. In this scenario, cybercriminals use phishing to entice mobile carrier employees to either provide their passwords or download malware, which is used to breach mobile carrier systems so that cybercriminals can perform SIM swaps themselves.
  3. Malicious insiders at mobile carriers. This occurs when a cybercriminal works directly with a mobile carrier employee who has the authorization to carry out SIM swaps.

However the attack is carried out, the end result is the same. Once cybercriminals have the consumer’s mobile phone number switched to the SIM in their possession, they can insert it in a new device, use it to bypass phone-based MFA, reset the consumer’s login credentials, and take over their online accounts and apps.

Stopping SIM Swapping: Tips for Consumers

  • Always protect your online accounts with 2FA whenever possible, but do not use phone calls or text messages for authentication. Instead, use biometrics, a physical security token, or a standalone authentication application.
  • Avoid sharing your mobile phone number or other personal information, such as your street address, online.
  • Never share personal financial information online.
  • Never provide your mobile number account information in response to unsolicited phone calls or emails that allegedly come from your mobile carrier. Verify the contact by calling your carrier’s customer service line or logging into their website directly.
  • Use strong, unique passwords for all of your online accounts.
  • Never store your login credentials or other sensitive information in a text file, spreadsheet, or other unencrypted medium. Instead, use a password manager like Keeper, which stores your login credentials and other personal information in an encrypted vault that only you can access.
  • Consider switching your mobile carrier to Efani, a secure mobile service with an encrypted SIM Card that secures your mobile account and personal information from potential SIM swap vulnerabilities and backs it up with a $5M insurance coverage per individual.

Stopping SIM Swapping: Tips for Mobile Carriers

  • Train your employees on cybersecurity awareness, including how phishing attacks are used for SIM-swapping.
  • Develop comprehensive security protocols for your employees to verify customer credentials before changing their numbers to a new SIM card.
  • Use role-based access control (RBAC) to limit the number of employees with authorization to switch numbers to a new SIM card, and use audit logs to track all of this activity, including who made the switch and when.
  • Require your employees to use strong, unique passwords and enable 2FA for all of their work accounts, and enforce these policies with a robust enterprise password management and encryption platform such as Keeper.

Keeper’s zero-knowledge password management and security platform gives IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies across the entire organization, including password complexity requirements, 2FA, RBAC, and other security policies.

Not a Keeper customer yet? Sign up for a 14-day free trial now! Want to find out more about how Keeper can help your organization prevent security breaches? Reach out to our team today.