Somebody gaining access to your phone is a fear we all have, but one that’s rapidly becoming more likely. SIM swapping involves redirecting a victim's phone number to a new SIM card which attackers use to impersonate their victim and obtain private details. This process is also repeated by cloning data from the SIM card to provide access to it 24/7.
Since 2015, sim swapping has gone up by 400%, and is a major concern for all of us who store our personal data on our mobile devices, or use it to verify access to online accounts. We look at what vulnerability attackers target and how this access could also be a risk to a organisation's private data.
Phone numbers represent a vulnerable type of authentication, as they can easily be claimed without prior checks and allow for easy access to attackers. A successful SIM swap would give an attacker all the device’s communications to gain access to passwords, contacts and private accounts.
With mobile phones becoming inherently linked to our digital identity, there is a risk to organization’s that individual employees may be targeted for data on their work devices. High-profile employees could be particularly at risk through spear phishing (which targets specific individuals or organisations) or whaling (focused on senior executives).
SIM swapping creates backdoor entry to personal data through access to other applications and passwords by using the two-factor authentication process.
Attackers contact the victim’s mobile provider and claim their identity to ask customer service to swap the SIM to a new one in the attacker’s possession. They then transfer the victim’s personal details.
Phone providers are under increased scrutiny to prevent social engineering attacks and help reduce sim swapping. Victims are also calling on these providers to prioritise security, as we saw earlier this year with the lawsuit against T-Mobile from a Bitcoin investor who lost over £320,000 from a SIM swap attack. He alleged that the company's “failures to protect and safeguard its customers highly sensitive and financial information” were a major cause for concern, and better verification was needed to protect mobile users.
Both employers and employees have a role to play in staying safe. Employers need to have security measures in place but also emphasise personal responsibility for individuals working for the company. Employees must be cautious of social engineering tactics, such as phishing emails, that deceive mobile users into sharing their data.
It's essential to consider the thinly secured authentication of mobile devices and avoid building identity verification strictly on phone numbers, as it's difficult to confirm the owner of this information. Mobile phone users should consider requiring other forms of authentication, such as multi-factor authentication (MFA), which is shown by Microsoft to stop 99.9% of account compromise attacks. This should be supported by contact with the individual's service provider to set up security questions based on the SIM provider’s security measures.
We all need to be cautious of the ongoing threat of SIM swapping and take action to prevent this. For businesses, it's important to use the security tools available and to advise individuals within your organisation to secure their mobile devices and other logins. They can do this by using multi-factor authentication and reaching out to their providers for further password verification to limit attacker access and secure personal data.
For more information on cyber security and reducing your cyber risk, contact Nick Smith.