What is SIM swapping? What do you need to know?

Did you know that the very same smartphone in your hand could potentially offer a cybercriminal a way to access your financial accounts? What’s more, your phone doesn’t even need to leave your possession for it to become a potential concern. All a cybercriminal needs is your phone number.

This type of fraud, known as SIM swapping, can be used as a way of taking over your bank accounts. And any other account that relies on phone-based authentication. Successful SIM swap fraud will see the cybercriminal taking over your mobile phone number and using it to gain access to the accounts and data that you may have believed to be secured.

How does it work?

Think about your bank account and the way in which you access it. To access your bank account, you will enter in your username and your password. To verify that it is you attempting to access the account, the bank will send a one-time password (OTP) to your cell phone so that you can complete the process of logging in.

This process is typically efficient. And it does serve as an effective way of verifying that it’s you who is accessing the account. However, what if a bad actor was able to change the SIM card that is linked to your mobile phone number? In an instant, they now have the ability to get the OTP to your account.

This will give them control of your account, your finances, and so much more.

Understanding the SIM card

Also referred to as SIM splitting or simjacking, this type of fraud sees cybercriminals taking advantage of a vulnerability in two-factor authentication and verification. The subscriber identity module (SIM) card is the small card inside of your mobile phone that stores user data. It’s important to note that only GSM phones contains a SIM card, CDMA mobile phones do not use a removable SIM card. This article details the difference between the two.

The SIM card contains user data and authorizes the mobile phone to use the mobile network. This makes it a valuable asset to a would-be fraudster.

How it happens

In order to take control of your number, cybercriminals will begin with a bit of social engineering and gathering as much personal info about you that they can. With this information on hand, they can then call your mobile carrier and impersonate you, with the claim of having lost or damaged the SIM card.

The customer service rep will activate a new SIM card that the fraudster already has in their possession. In an instant, this will port your mobile number to the fraudster’s device and the SIM they are using.

If your carrier has layers of security questions for you to answer, how then can a cybercriminal access your account? All of the data that they gathered about you will prove to be useful here. This info could come through the use of malware on your device, the dark web, social media research or phishing schemes.

With control over your mobile number, a fraudster can now access your text messages from banks and even online retailers that may have your financial details stored. They will be able to get any password reset codes that are sent to the phone, for any one of your connected accounts.

With that, they’re now able to access everything you access. Including your bank accounts.

Signs of SIM swap fraud

There are a few warning signs that may help you to recognize that you’ve fallen victim to a SIM swap scam.

  • Social media posts that are not your own. There have been cases where fraudsters have accessed the social media accounts of high-profile targets, with the goal of causing trouble.
  • If you’re unable to make calls or send text messages, this is a very strong indicator that your SIM card has been deactivated.
  • You are not able to access your bank account, credit card accounts, or email. If your login credentials suddenly all stop working, you should contact the relevant organization immediately to protect yourself.
  • Your mobile phone provider may notify you that your phone number or SIM card has been activated on a new device.

Can you protect against a SIM swap scam?

There are a few steps that you can take in order to help protect yourself against a fraudster swapping out your SIM card.

  • Be aware of your behavior online. Phishing emails and public social media info can give fraudsters all of the details they need to know about you.
  • Use strong passwords that only you will know.
  • Find out if your bank and your mobile carrier have procedures in place to alert users if there are any account changes.

ZenKey can help to protect against SIM swap scams. While the FTC offers a number of helpful tips for preventing SIM swap fraud, there are some problems to address when a user is verified simply by having direct access to a phone number.

The person who is in possession of the phone number being used to verify identity or reset passwords is not always the person who should be. The owner of the accounts will almost always still have possession to their actual mobile phone, with the original SIM card in it.

ZenKey takes advantage of this by replacing traditional number-based OTPs with a device-based push message. With ZenKey’s user confirmation function to replace traditional OTPs comes a higher level of assurance and confidence that the push message was delivered to the right user—on the right device.

Why? ZenKey is tied to the device and the SIM card, but our registration process also makes it extremely difficult to fraudulently replicate on a fraudster’s smartphone.

When a mobile user first sets up their ZenKey account, they are required to set up, from a range of available options, at least two recovery methods. These recovery methods will be triggered when the user needs to get into his ZenKey account on a device that is different from the one on which he registered for ZenKey. Typical recovery options include:

  • Establishing an alternate trusted device
  • Creating a recovery code

Because ZenKey is device-based, with an extra layer of security that means the fraudster needs to install the ZenKey app on his own device, re-establish the victim’s ZenKey Identity on his own device and then only can he access the bank or retail accounts he’s trying to get to.

In short, thanks to the recovery methods that ZenKey users are required to set up during initial registration, fraudsters are less likely to succeed in getting into their victim’s ZenKey-protected accounts.

With ZenKey, both the business and their users benefit from the decision to offer and use ZenKey as a stronger, more reliable replacement for the traditional, less secure, username and password.

Are you ready to learn more? Contact us to speak with a ZenKey security expert.