What is a Sim Swap Attack?

In today’s world of modernization and technology, our lives have become completely digitized i.e. we depend on electronic gadgets for performing every single activity. This much development has indeed comforted us a lot but on the same side, it has also posed a greater risk on our privacy. The more information we handover to different online platforms for the so-called reason for securing it, the more vulnerable and exposed it gets. In this state of affairs, the attackers, bad guys, hackers or whatever you call them, find golden chances of breaking into your personal lives by stealing your important information and then annoy you by their very own blackmailing tactics.

With each passing day, the cybercriminals find all-new ways of hijacking your personal data and unfortunately, the measures that we take to protect our privacy are not sufficient. One such malicious activity is known as a SIM Swap Attack which is growing very rapidly these days leaving its victims with the only option to regret on their carelessness. In this article, we will try to gain in-depth knowledge about this attack and will also learn some protective measures with the help of which we can prevent ourselves from becoming a victim of this attack.

SIM Swap Attack

What is a SIM Swap Attack?

A SIM Swap attack is a form of an Identity Theft attack where a hacker pretends to be you in front of your cellular network provider and fakes a story like “I have lost my mobile somewhere or it has been stolen etc.” and then asks your cellular network provider to issue him another sim with your number. This attack is also known as a SIM Intercept attack. Now the question arises that how can someone assure a customer support agent that he is the real owner of any number assuming that the cellular network providers usually have very tight security procedures.

Well, these security procedures are either outdated or they are not sufficient to defend you anymore against the SIM Swap attack. The questions that a customer support agent generally asks you before issuing you another sim with the same number are: “What is your Full Name?”, “What is your CNIC Number?”, “What is your Mother’s Name?”, “What is your Mobile Number?”, “What is your Email Address?” etc. and people assume that these questions are quite enough to recognize fake and real identities. However, it is not true any longer because of social engineering.

What is Social Engineering?

Social Engineering is defined as the act of gathering as much data of a person through all the social networking platforms that the said person uses. This can be done simply by sending fake messages and emails that ask for your personal details. The hackers do exactly the same because most of the people these days are habitual of exposing their entire lives on social media. There is nothing like secrecy or privacy left anymore. As a result of this carelessness, privacy breaches are very common these days. The hackers can easily gather all the information from these platforms that they require to make a customer support agent believe that they are legitimate users. The worst thing is that the hacker does not even need to physically steal your mobile or sim rather he can simply get all the required details through social engineering.

So now you might be wondering what good would it do to a hacker to get your number? I mean considering the fact that mobile sims are available at such a highly affordable price these days that anyone can get a new sim whenever he wants then why stealing someone else’s number? Well, the answer to this question is a bit too complex and tricky. And the saddest and strangest part is that whatever measures we take to protect our privacy, they end up being the root cause of an even bigger problem.

There was a time when most of the social networking platforms decided that there must be an added layer of security other than simply allowing the user to login with his user ID and password. They kept thinking about some other credential that they should set as an account recovery option and unfortunately, most of them ended up making your mobile phone numbers as a means of recovering your accounts. It means that most of the social networking platforms will now ask you for your cell phone number so that whenever you lose access to your accounts, you can get it back simply by entering a password that is sent to your mobile phone by the social network and as expected, most of us considered it very convenient.

Mobile Numbers and Email Addresses being Excessively used for Recovering Accounts

However, because of giving away our personal mobile numbers to these social networking platforms, we have risked our lives greatly. Once you become the victim of a SIM Swap attack, your cellphone is rendered completely useless because you can no longer use it for making or receiving calls, sending or receiving messages or even logging in to any of those accounts that required your phone number. This is not the end to the after-effects of this attack rather it is just the beginning. The hacker can now easily access your bank accounts or any other accounts that send One Time Passwords (OTPs) to your cellphones because now these passwords will be sent to the hacker’s mobile.

Moreover, these hackers can also open up fake bank accounts on your mobile number and then use them for illegal transactions. If these frauds ever get caught, the higher management authorities might still not be able to catch the real culprit because, in a way, you appear to be the culprit just because of your comprised personal information being used in these frauds. The SIM Swap attack has caused a loss of a million dollars to different people since it has been invented.

Devastating Consequences of a SIM Swap Attack

How can you protect yourself from a Sim Swap Attack?

By now, we all have understood it really well how devastating a SIM Swap attack can be if we ever become a victim of it. That is exactly why people say that “Prevention is better than cure”. So we are listing here some of the precautionary measures that you can take in order to safeguard yourself against this destructive attack.

  1. The first and foremost thing that we need to learn is SAY NO TO ADVERTISING YOUR LIVES PUBLICLY. This includes all the Facebook, Instagram, WhatsApp stories that we post carelessly regardless of their consequences. They are a very good means of revealing your personal lives.
  2. Avoid giving your phone numbers and email addresses unnecessarily to the platforms that do not require them in the first place.
  3.  GET OUT OF YOUR COMFORT ZONES. By this statement, I want to point out one very common habit of people these days i.e. they set up the very same passwords for all of their accounts just for their convenience. Do you know how harmful it can be? It clearly means that if any of your accounts get attacked, all of the linked accounts will easily become prey to this attack.
  4. Immediately switch to 2 Factor Authentication methods other than the simple mobile number based authentication.
    SMS Based 2 Factor Authentication is not Sufficient
  5. Stop uploading the text files containing your passwords to Cloud storage because if your Cloud storage account ever gets compromised, you will be doomed.
  6. For private conversations, use messaging applications other than SMS because SMSs are not protected by end to end encryption.
    Use Messaging Applications that Offer End to End Encryption
  7. Try setting up a PIN for activating your sim if you get an option to do so because it will prevent a hacker from using your number even if he gets a new sim issued on the same number.
  8. Last but not least, as soon as you find out you are being attacked by a SIM Swap attack by noticing any unusual behaviour of your cellphone or getting any such emails from your cellular network provider that a new sim has been issued on your number then immediately contact your cellular network provider to inform about the issue so that they can block your sim asap and try to find out the culprit. Also, bring this in the knowledge of your bank and ask them not to perform any transactions on your name until this issue gets resolved. This can possibly save you from a major loss.
Ayesha Sajid
Ayesha is a software developer by profession and is currently working as a lead developer with Code5.Programming Skills: Asp.net, C#, C/C++, Java, Golang, Android, UML, SQL and Html.