If you are at all interested in internet security or follow the news about the latest hacks and fraud alerts, you have probably
noticed the continual back-and-forth that goes on between the “security guys” and the “hacker guys.” Hackers find a way to steal data; security finds a way to prevent the theft; hackers find a way around the protections; security adjusts to block the new threat; and so on.
Two factor authentication (whereby, in addition to their password, a user logs into a site using a unique code that they receive through their phone) has been one advance that poses a significant challenge to the hackers. Even if they somehow manage to steal or buy or trick you out of your login credentials and the answers to your security questions, they are still out of luck without access to your actual phone.
But, as always, the threat adjusts. The bad guys have begun using SIM swap scams to get around two-factor authentication and that means…you guessed it: we need to adjust our thinking and security as well.
What is a SIM swap scam? The SIM card is the chip inside a phone that identifies your phone to the carrier. It can be moved to another phone in order to transfer your phone number and data plan and can store a minimum amount of memory, like contacts. The fraudsters goal is to gather enough information about you – through phishing, social media, etc. – to allow them to pose as you and request a new SIM card from the carrier. They might claim that the card has been damaged or stolen, for instance. The carrier, if they are fooled, will then transfer your number and data plan to a new SIM, which will be plugged into the bad guy’s phone.
Your phone, with your real SIM card, will immediately stop working. The bad guy, however, if they’ve also gotten ahold of your mobile banking login information, will log into your bank account, and now the two-factor authentication code goes…to his phone. He’s into your account and you’re in trouble. He can also use his phone to rack up huge data or international calling bills. Bills that will be charged to you.
The good news is that this type of scam, though it has grown in popularity, still requires the hacker to gather quite a bit of information about you. They still need to get their hands on your login credentials for the bank or financial institution. They still need to gather enough information to convince the cell carrier that they are you. So all the old advice still applies: be careful to have strong passwords, don’t click on unfamiliar links in email, be careful what information you make publicly available on social media, etc.
However, if your phone suddenly stops receiving calls or texts, this might be a sign that you’ve become a victim of SIM swap. Sometimes the fraudster will send you a text claiming to be your carrier and asking you to turn off your phone for scheduled “maintenance.” Or you will receive a flurry of annoying calls/texts from an unknown number. Both of these instances are intended to get you to turn off your phone so you don’t recognize when your service is no longer working. This gives the thief more time to break into your accounts before you discover that something is amiss.
If your phone should stop receiving texts/calls unexpectedly, or you are receiving strange texts encouraging you to turn your phone off for “maintenance,” you should immediately contact your cell phone carrier. Another good way to stay on top of possible problems is to register with your bank for alerts that come in both text form (SMS) and email. That way, if you’re cut off from your phone, you can still get alerts via email. Many times these scams also happen when you are traveling overseas. You can notify your cell phone provider of your plans to travel so they will keep your account on alert while you are out and about.
The “good guys” will continue to adjust to this new scam and financial institutions and cell phone companies will eventually roll out more sophisticated ways of combating SIM swap. Until then, an ounce of prevention is worth a pound of cure: stay vigilant and cautious with all your online accounts’ information and keep an eye on your phone for any suspicious activity.