All You Need to Know About SIM Cards and Smartphone Takeovers

september 24, 2021 | fraud protection
SIM card swapping and fraud prevention

SIM Swapping Lets a Scammer Take Over Your Smartphone. Learn the Risks to Avoid This Scam

SIM. It stands for Subscriber Identity Module—a small object that’s an essential part of your smartphone. While SIMs do not contain a complete record of your phone’s usage, they contain important data regarding your account and carrier account details. Some also store contacts. Without this card, the device won’t make or accept any calls.

Your SIM key looks like the golden chip that’s on the front of most credit cards in circulation today, but bigger. Think of this microdevice as an on/off switch for your phone.

SIMs offer flexibility in several situations. International travelers use SIMs to handle multiple phone numbers, for example. It’s handy to have a local number for the country you’re in so callers won’t have to pay international rates to reach you.

SIM cards can pop in and out quickly, but a tiny, pointed object might help trigger the release. A thief who gets hands on your phone can also remove that SIM. However, that’s not the looming risk. The biggie is hackers who trick your cell carrier into moving your account and phone number to a SIM card they possess.

How SIM Swapping Works

Porting your phone number to a different SIM card is common if your device is lost or damaged beyond repair. Switch the SIM, and your smartphone disconnects from the cellular network. From there, the possibilities for damage or account takeover are massive.

Unauthorized SIM card diversions are so common they’ve earned their own name—SIM swapping. It starts when a thief calls your carrier and attempts to persuade or convince a service rep into believing that they are you. A spoofed caller ID using your name adds an element of credibility to this pitch. A naïve, hasty, or unseasoned customer support agent then authorizes the requested swap.

“If your provider believes the bogus story and activates the new SIM card, the scammer—not you—will get all your text messages, calls, and data on the new phone,” the Federal Trade Commission (FTC) warns consumers.

After the substitution occurs, the scammer receives any communications meant for you, including one-time login codes. For example, if you’ve enabled multi-factor (MFA) or two-factor authentication (2FA) for sensitive websites, a crook must enter these digits for access. Then, with code in hand, the thief completes the second step to log in. As a result, your accounts become wide open to criminals. Their first step will probably be to change your passcode to shut you out.

Data breaches like the recent massive T-Mobile breach leaked buckets of personal information for 53 million applicants and users. All these details boost a scammer’s odds of success—even when faced with security questions they must answer. Would-be con artists already possess the last four numbers on your Social Security card and payment card or know where to buy those details.

Risky Business

What could possibly go wrong? A year ago, a group of Princeton University researchers released study results on the authentication process of five wireless carriers that offered prepaid plans. T-Mobile, Verizon, and AT&T were on that list. The researchers’ conclusion? Quite a lot can and does go wrong.

“We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers,” the authors wrote.

The group also examined 140 popular websites identifying 17 websites that had questionable security. Princeton’s team then notified those 17 companies last spring. After 60 days passed, the team found that just over half of the businesses had failed to fix their vulnerabilities. That 2020 list included PayPal, Venmo, AOL and Amazon. It’s unknown whether those sites were later updated or not.

If 2FA is easily defeated, what about other options like one-time tokens or keys? While some experts may advocate for alternatives like one-time tokens or keys, not all websites offer an alternative to 2FA.

A Time-Consuming Headache

Here’s how one reader explained her SIM swap experience: “The only clue that something was wrong was the text from ATT stating my account password had been changed. SCARY. Needless to say, I have since changed all my social media and email passwords again.”

Another victim described the experience this way, “It ruined my life for at least 3 weeks while I went around plugging holes. They got into everything using my sim: email, bank account, credit card even the credit card processing for my business.”

The mess that a SIM swap creates can take weeks to clean up. The surge in recent data losses worldwide keeps feeding the market for new attacks on unsuspecting customers. So, a rise in SIM swaps may be just around the corner.

Time loss is not the worse impact, either. If you’re the victim of a SIM swap, the intruder proceeds to crack accounts like Amazon or Costco along with bank holdings. Hackers hunt for credit accounts where card data has been stored. They can run up huge bills before detection. Gift cards are a popular purchase as they’re readily monetized.

That said, financial losses could be temporary thanks to federal consumer protection laws. Credit issuers generally don’t hold cardholders liable for unauthorized purchases. Even banks routinely restore stolen funds, but these actions can take days or weeks. However, gift cards probably aren’t covered if you voluntarily surrender access details.

Shield Yourself

Take some proactive steps to prevent a swap. These include:

  • Limiting personal information shared online
  • Don’t select easy-to-guess security questions for verification
  • Choose more complex methods like 2FA to restrict highly sensitive accounts

IDShield monitors member phone numbers 24/7 along with bank account and credit card details. We can detect stolen Social Security numbers for sale on the Dark Web, too. If your data turns up anywhere it shouldn’t be, we alert you and work with you to solve the problem. Check out IDShield's individual and family monitoring plans.

IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. IDShield plans are available at individual or family rates. For complete terms, coverage, and conditions, please see an identity theft plan. This is meant to provide general information and is not intended to provide legal or tax advice, render an opinion, or provide any specific recommendations.

Learn more about protecting yourself against identity theft and fraud