Headshot of Chris White

Digital Security Awareness - SIM Swap Attack: SMS Multi-factor Authentication Bypass

Estimated read time: 3 min

SIM Swapping and How to Protect Yourself:

Smartphones have become the foundation of modern life. The convenience of smartphones comes a growing threat: SIM swapping. This term might sound like tech jargon, but understanding this attack is crucial in securing online accounts.

You might wonder why this hasn't been solved. Some cellular providers have gone to great lengths while others have not. Let’s explore this attack and expand your understanding.

What is SIM swapping?

SIM swapping, also known as SIM hijacking, is an attack where criminals trick your mobile carrier into transferring a phone number to a SIM card in their possession. Controlling that SIM card gives attackers access to future calls and text messages. They use this access to intercept SMS two-factor authentication codes that should be sent to the original phone. These codes are then used for account takeover.

How does it work?

  1. The attacker starts by collecting personal information, often using social media, and then fleshes out details via social engineering and dark web data.

  2. Armed with personal details, the attacker contacts the mobile carrier, posing as the owner of the phone. They claim to have lost their phone and need to activate a new SIM card.

  3. Once convinced, the carrier deactivates the current SIM card and activates the new one in the attacker’s possession.

  4. A successful SIM swap enables attackers to reset passwords and gain control over accounts that are protected by SMS-based multi-factor authentication.

The consequences of SIM swapping

The impact of a SIM swap attack can be devastating. An attacker who successfully executes a SIM swap can intercept authentication codes and gain access to critical accounts. Leveraging this access allows them to hammer through the company assets, exploiting financial systems, sensitive data stores, and administrative controls. This type of attack can also wreak havoc in the lives of your users, causing financial loss and emotional distress.

Protecting against SIM swap attacks

Practice caution when sharing information: avoid sharing personal details that can be used to impersonate you.

Set a PIN with your carrier: most mobile carriers allow account owners to set a PIN or passcode that must be provided before any changes can be made to your account.

Use multi-factor authentication (MFA) wisely: whenever possible, use app-based MFA (Google Authenticator, Windows Authenticator, Yubico Authenticator, etc.) instead of SMS-based MFA. App-based MFA is tied to your device, which makes it extremely difficult to overcome because attackers need physical possession of your device.

Contact your carrier if you lose service unexpectedly: contact your carrier immediately if your phone suddenly stops working.

Attackers are still wreaking havoc on the world with SIM swap attacks. Arm your organization with the knowledge and tools to bypass the dangers of SMS-based MFA. Multi-factor authentication audits, integrating app-based MFA, and strong security policies are powerful safeguards against these attacks.

This follow-up post is part of a blog series I'm writing called Digital Security Awareness for Non-Technical Professionals.