A SIM swap attack is a concerning fraudulent technique in the realm of cryptocurrencies and cybersecurity. It involves impersonating a mobile phone user by hijacking their phone number. Attackers, after collecting personal information, contact the victim's operator and transfer their number to a new SIM card they control, thereby deactivating the victim's original card.
If you fall victim to SIM swapping, the risks are considerable, especially if you hold accounts on cryptocurrency exchange platforms. Once the attacker controls your number, they can access your online accounts, particularly if you use SMS-based two-factor authentication. This allows them to take control of your email address, log into various online platforms, and potentially steal your funds from cryptocurrency exchanges.
The FBI's 2019 report on digital crime reveals that scams such as SIM swapping, phishing, and vishing resulted in losses of at least $57 million for victims. These types of scams affect more people than other forms of cybercrime. Moreover, frauds involving Business Email Compromise (BEC) and Email Account Compromise (EAC) resulted in losses exceeding $1.7 billion, according to reports received by the FBI in 2019.
The consequences of a SIM swap attack can be catastrophic. Cybercriminals, once in possession of personal data such as birth dates, social security numbers, banking information, credit card numbers, access to social networks, and other sensitive data, can initiate a chain of criminal activities involving numerous actors. Victims may suffer years of identity theft, in addition to financial, professional, and reputational losses. This information can also be used for other account takeovers, credit card fraud, and identity theft.
Finally, the identity of those affected by hacking via SIM card exchange is often not fully restored. Thus, protecting against SIM swap attacks is crucial to break this harmful cycle.
There are several ways to protect yourself and prevent SIM card swaps.
Beware of social engineering attacks such as phishing emails that scammers can use to access your personal data and impersonate you. Sanitise your online presence to reduce risks.
Use strong, unique passwords and security questions and answers known only to you, to enhance the security of your mobile phone accounts.
Add a layer of protection through your operator by setting a separate PIN or access code for your communications. AT&T and T-Mobile allow this, while Verizon requires a PIN that you can change. Never use an obvious PIN, such as a birthday or address, and ideally store your PINs in a password manager.
Avoid building an identity and security authentication solely around your phone number, including text messaging (SMS). This method is vulnerable to SIM swapping fraud and other attacks, and text messaging is not encrypted.
If your mobile phone operator offers it, opt to receive additional notifications when a SIM card is reissued on your account. When choosing banks, retailers, and other organizations to use online, look for those that use behavioral analysis technology to detect compromised devices and prompts to deter identity thieves.
Some consider SIM swapping as an example of two-factor authentication (2FA), but this is far from the case. In fact, SIM swapping fraud argues for the use of strong authentication, using a physical security key for authentication.
Physical authentication techniques are superior to standard 2FA because they require something you know, like a password, and something you possess: a physical token. A hacker must physically obtain your token to gain access.
It is essential to apply at least 2 levels of security. This means two factors: something you know, like a code or password, and something you have generated by a registered device, like a push notification or a generated OTP (one-time password).
Where possible, increase your security level for most critical assets. For this, apply two-factor authentication (2FA) combining something you know, like a password, with a hardware cryptographic token. This could be a FIDO key (Fast Identity Online, an international standard for robust authentication devices like secure USB keys) or a smart card.
Strong authentication reinforces confidence in the user's identity. When the user's identity and the infrastructure itself are more trustworthy, a social engineering attack via SMS or call is less likely.
For particularly sensitive accounts, it might be worthwhile to try to completely remove your phone number where possible. This can be a challenge at scale, but for high-value targets, it may prove necessary.
Contact your phone operator to see if specific security measures can be activated. Operators in France have implemented increased controls to combat this fraud, but individual vigilance remains essential.
