SIM-swapping attacks are becoming increasingly common. In these attacks, someone tricks your mobile carrier into porting your number so that you lose control of your phone number. The bad guys can then intercept your calls and text messages in order to capture two-factor authentication requests and then take over your online accounts.
It's a tactic used by identity thieves and those trying to steal valuable online handles. And, it turns out, that it's pretty easy to do.
Our mobile phones are becoming an important identity management device. That's happened over time as online services have been using one-time codes sent to our mobile phones and through authenticator apps and services.
In a sense, our mobile numbers are becoming as important as Tax File Numbers and, if you're from the USA, a Social Security Number, as a form of personal identification. But given mobile numbers can be listed in public directories, they are a pretty easy target for someone to find.
To test out how easy it is to carry out a SIM swap, I ported my son's number from my account with a major carrier to a mail-order pre-paid service. It turns out the process is trivially easy. And the only piece of information that's needed to make the change is the originating account number. No other authentication was requested or needed.
I followed up with the three big carriers about the magnitude of this issue. The response I received from Vodafone is indicative of how easy a SIM swap is and how powerless carriers are to stop it.
Porting fraud and SIM swap fraud is a concerning issue for all mobile carriers. We can’t stress strongly enough the need for customers to be vigilant for online scams.
Unfortunately, if fraudsters obtain the personal details of customers, they can attempt to perform unauthorised number ports or SIM swaps, usually to attempt to gain access to the customer’s bank account.
We do everything we can to protect customers from fraud, including recently increased SIM swap security measures and monitoring for suspicious account activity. We strongly encourage our customers to ensure their personal information is kept secure and only provided to known, trusted sources.
A couple of years ago I reported on a low-tech burgulary that had a high tech edge. In that, a friend had some personal documents stolen when their home was robbed. Amongst the stolen documents were some phone bills. The thieves ported the number, ordered a new phone and took over his Google accounts resulting in the loss of years of photos.
My friend ended up getting a new phone number and losing years of photos, emails and other information.
I asked Telstra about SIM swaps as well.
Fiona Hayes, Telstra Retail and Regional Executive, said a "A SIM swap is considered a high risk transaction and therefore a one-time PIN is sent to the customer to ensure enhanced due diligence is undertaken".
So, while some carriers are taking steps, it's not universal. One potential way around this would be to have burner mobile number services. In the US, you can access services like MySudo that give you burner numbers that can be used to authenticate access without giving up your real number but those aren't available here yet.
In the mean time, it's really important to keep your account details well protected. Avoiding paper-based bills that can be stolen from your letterbox is a good place to start. And scanning documents you do receive, storing them securely and shredding the originals is also a good step to take.
SIM-swap attacks are real and surprisingly easy to execute.