96-fromsofia.net

Protect yourself from SIM Swapping

Overview

SIM swapping has become an increasingly common fraud in the digital world over the last decade. The process entails a threat actor calling your mobile phone provider, pretending it’s you and convincing them to transfer your phone number to a SIM card they have control over. The goal is to then use this to either obtain two factor authentication codes send to you as SMS or reset passwords for some of your accounts tied to your phone number.

This article is suitable for non-technical audience and aims to equip the general public with simple mechanisms to protect their digital estate from this common threat.

Signs you’ve been a victim

The most obvious one would be losing signal on your phone. This is expected if your phone number is transferred to a different SIM you don’t have control over. Sometimes our phones can lose signal so use common sense before panicking:

  • Turn airplane mode on for 30 sec and then off - did your signal come back?
  • Reboot your phone - did your signal come back?
  • Are you in an area with poor coverage, where you are expected to lose signal? If the answer to all of the above is NO, then you may have been a victim of SIM swapping and should contact your provider to ensure no changes have been requested against your account.

Additionally you may receive messages, notifications or emails about failed login attempts, password resets, account lockouts and similar which you have not requested. This is a good indication that somebody is trying to hijack your accounts or phone number.

Basic prevention

As always common sense is the key to protecting your digital privacy.

  • Avoid giving your number to people you don’t know or type it in random websites
  • If for some reason you need to provide your phone number to a website you don’t fully trust, consider using a burner
  • Don’t scan random QR codes from untrusted sources with your phone

In addition to this make sure you take the appropriate measures of securing the account you have with your mobile provider.

  • Use a good, strong and unique password
  • Use two factor authentication (provided by either an authenticator app OR a physical hardware token if your provider supports it)
  • Have a PIN or secret word you have to verbally share with your provider when calling them to confirm your identity
  • Consider using a unique email address for your mobile provider which is not used for anything else

Additional prevention

You can even further enhance your security if you are willing to sacrifice some of your conveniences.

I have incorporated something I like to call a 3tier SIM system (yes I made that up!). The idea is pretty simple and again requires no special technical skills - security is achieved by segregation.

Prerequisites

  1. 2 smartphones (one with eSIM support)
  2. 2 SIM and 1 eSIM cards

Steps If you are reading this article most likely you will already own a smartphone and a SIM card. We will call this your public phone and SIM. Your public phone should also be the one which has eSIM support.

  1. Your public SIM is inserted in your public phone and is only used for people interactions - sending and receiving SMS, messaging and phone calls. This works well because all the people you know and everyone you’ve given your phone to until this moment already has it. No need to go through your contacts and messaging them that you’ve changed your phone. This SIM card should never be used for registering online accounts.
  2. Your eSIM - this is also attached to your public phone. The difference is, the number associated with your eSIM is never shared with any people. The only purpose for this number is for online registrations, think online shopping, social media, forums, etc.
  3. The new SIM card inserted into your new phone. This phone will have all of your highly sensitive apps - government, banking and investment apps. Needless to say this phone should not be used for daily activities such as browsing mail, websites, making calls, etc.. You can use this phone when you need to authorise or make a financial transaction, or access government documents.

Following this simple approach, you sacrifice some of the convenience you are used to, but you enhance your security greatly.

  • No person who you’ve given your number directly to will know the phone numbers that your online and financial accounts are protected with
  • In case you register to a website with poor security and your data is breached, your financial accounts are still secure and your public number is still not affected
  • Financial institutions and governments usually have tighter security compared to your average online retailer so it’s important to use different numbers

In addition I would advise you question yourself:

  • Do I need the ability to pay with my phone - why can’t you use cash/physical card?
  • Do I need to have my phone with government and financial apps when I’m out during the day - can’t I just make payments at home in the evening?
  • Consider keeping your financial switched off too - if you only make payments/need to access government apps seldom, this doesn’t need to be on.
  • Could I benefit from a burner phone - do I often need to register to services with questionable reputation?

Conclusion

The above analogy can be applied in different ways. I’ve personally chosen to do segregation based on use cases, however this can be amended. For example one may chose to do segregation based on how secure a website is (breaching into amazon or facebook databases to extract credentials is very unlikely, but hacking some small time retailer is probably doable for most determined attackers).

Act quick - if something looks off, don’t hesitate to call your phone provider, check your email for suspicious account notifications, etc.

If you’ve been a victim of digital fraud - REPORT IT - being silent about such crimes is an encouragement for the threat actors.

The End

Thank you for reading!

https://git.96-fromsofia.net

You can drop me an email at: 2a9-7cc@96-fromsofia.net.