In its most up-front form, here’s the sort of thing that happens.
A crook walks into a mobile phone shop, lets himself get talked into a top-of-the-range new mobile phone to replace the one he says he just lost.
Fell out of his pocket as he was rushing for the ferry and vanished into the harbour, no point in trying to get it back, wouldn’t still be in working order even if it could be dredged up and recovered.
Pulls out his credit card (OK, not literally his credit card, in all likelihood, but a passable clone of someone else’s credit card), and “buys” the new phone.
In fact, he’s not buying it; in non-legalistic terms he’s stealing so he can sell it online the very same afternoon – at half its recommended retail price, he’ll go from listing to sale in a matter of minutes.
But that’s not all: while he’s about it, he gets a new SIM card to replace the one that’s now sunk in the harbour mud, because the new phone isn’t much use without his old number.
Of course, the mobile phone shop carries out an identity check – you can’t be too careful, after all, because you don’t want an imposter to be able to take over someone else’s phone number too easily!
Actually, you can be too careful: the guy just lost his phone, wasn’t expecting to need a new one so doesn’t have his passport with him, seems like a decent chap, and, if the truth be told…
…will probably walk out empty-handed, along with the tidy profit that would go with the sale, if he can’t buy the phone with a working SIM.
Why swap a SIM?
Our cybercrook just doubled his “returns”: as well as a stolen phone he can flog online, no questions asked, he’s also got someone else’s SIM card that he can use to get at their two-factor authentication (2FA) codes for a while.
Of course, it won’t just be anyone’s SIM card – he’ll have chosen the phone number of a victim for whom he already has login information such as usernames and passwords.
A SIM swap is therefore a simple, and annoyingly effective, way for a crook to hack your online accounts even after you turn on phone-based 2FA for added security.
That’s because mobile phone numbers aren’t actually phone numbers at all: they aren’t tied to your phone but to your SIM card, with the result that any 2FA process that depends on SMS messages is vulnerable to a SIM swap.
Ironically, SIM cards themselves are very secure: they’re as good as impossible to clone or to modify unofficially.
But the SIM card ecosystem as a whole has a weak point because almost any mobile phone shop can officially initiate the issuing of a replacement SIM card, where the mobile network ties a new SIM to an existing phone number.
That’s a bit like a country that redesigns its passports to make them much harder to forge, but doesn’t also improve the security surrounding the process of applying for a passport in the first place.
How to spot a SIM swap
If you’re the victim of a SIM swap, you do get a vague sort of early warning: your phone goes dead, because a SIM swap not only activates the newly issued SIM, but automatically deactivates the old one at the same time.
Sadly, you might not notice your phone is dead for a while, and even when you do, you can’t immediately tell whether it’s due to a permanent SIM swap, or a temporary network outage.
Eventually, you’ll figure it out, but at that point you can’t just call up and report the problem – because your phone no longer works!
Worse still, when you do get through to your mobile phone provider, they may think that you’re the imposter, given that you clearly aren’t the person who previously swapped out the SIM.
In the meantime, you’re locked out from your 2FA-protected accounts as well as from your phone, so you probably can’t get in yourself to kick the crooks back out.
(Typically, the first thing a crook will do with an ill-gotten logon is to go in and change all the authentication and account recovery settings, to make it as hard as possible for you to wrest back control of your account once you realise what has happened.)
What to do?
If you’re in the US, it’s worth remembering that the National Institute for Standards and Technology (NIST) recently updated its official “rules for passwords“, announcing that phone-based 2FA is no longer be considered satisfactory, at least for the public sector.
NIST formed the opinion that the lack of control over the issuing of new SIM cards – something that can be initiated in almost any mobile phone shop – means that they simply aren’t good enough to serve as a “tamper-resistant” part of any government 2FA system.
If you’re worried about the risks of SMS-based 2FA for your own accounts, consider switching to an app-based authenticator instead, such as the one built into Sophos Free Mobile Security (available for Android and iOS).
Of course, the security of an authenticator app depends on the security of your phone itself, because anyone who can unlock your phone can run the app to generate the next code you need for each account.
Be sure to set a strong lockcode or passphrase – and use a recent phone model that is still officially and actively supported with security patches.
Also, whether you use SMS-based 2FA or not, contact your mobile provider to find out whether they have additional security you can apply to your phone account.
This additional security is typically still prone to social engineering, where a crook with the gift of the gab talks someone in the support team into skipping one or more important security steps, but it’s better than nothing at all.
Oh, and if your phone goes dead unexpectedly, especially when friends and colleagues on the same network have good signals and you would expect the same…
…try borrowing a phone and calling your provider, just in case.