Watch Out For SIM-Swap Attacks

Image: iStock

SIM-swapping attacks are becoming increasingly common. In these attacks, someone tricks your mobile carrier into porting your number so that you lose control of your phone number. The bad guys can then intercept your calls and text messages in order to capture two-factor authentication requests and then take over your online accounts.

It's a tactic used by identity thieves and those trying to steal valuable online handles. And, it turns out, that it's pretty easy to do.

Our mobile phones are becoming an important identity management device. That's happened over time as online services have been using one-time codes sent to our mobile phones and through authenticator apps and services.

In a sense, our mobile numbers are becoming as important as Tax File Numbers and, if you're from the USA, a Social Security Number, as a form of personal identification. But given mobile numbers can be listed in public directories, they are a pretty easy target for someone to find.

To test out how easy it is to carry out a SIM swap, I ported my son's number from my account with a major carrier to a mail-order pre-paid service. It turns out the process is trivially easy. And the only piece of information that's needed to make the change is the originating account number. No other authentication was requested or needed.

I followed up with the three big carriers about the magnitude of this issue. The response I received from Vodafone is indicative of how easy a SIM swap is and how powerless carriers are to stop it.

Porting fraud and SIM swap fraud is a concerning issue for all mobile carriers. We can’t stress strongly enough the need for customers to be vigilant for online scams.

Unfortunately, if fraudsters obtain the personal details of customers, they can attempt to perform unauthorised number ports or SIM swaps, usually to attempt to gain access to the customer’s bank account.

We do everything we can to protect customers from fraud, including recently increased SIM swap security measures and monitoring for suspicious account activity. We strongly encourage our customers to ensure their personal information is kept secure and only provided to known, trusted sources.

A couple of years ago I reported on a low-tech burgulary that had a high tech edge. In that, a friend had some personal documents stolen when their home was robbed. Amongst the stolen documents were some phone bills. The thieves ported the number, ordered a new phone and took over his Google accounts resulting in the loss of years of photos.

My friend ended up getting a new phone number and losing years of photos, emails and other information.

I asked Telstra about SIM swaps as well.

Fiona Hayes, Telstra Retail and Regional Executive, said a "A SIM swap is considered a high risk transaction and therefore a one-time PIN is sent to the customer to ensure enhanced due diligence is undertaken".

So, while some carriers are taking steps, it's not universal. One potential way around this would be to have burner mobile number services. In the US, you can access services like MySudo that give you burner numbers that can be used to authenticate access without giving up your real number but those aren't available here yet.

In the mean time, it's really important to keep your account details well protected. Avoiding paper-based bills that can be stolen from your letterbox is a good place to start. And scanning documents you do receive, storing them securely and shredding the originals is also a good step to take.

SIM-swap attacks are real and surprisingly easy to execute.


    might be relevant to point out that Comms Alliance has issued guidelines for the "Pre-port verification process" they expect carriers to implement by 30 June 2019 which will require a verification SMS is sent to the porting number before the port starts.

    Would think an entire article dedicated to this would be aware of the changes currently underway to address this exact issue.

    It's even worse than described above. Historically a date of birth has also been an acceptable credential to perform a port out. I'm prepared to bet that they can still be used.

      it is still this way..

      Prepaid services only require DOB for porting. Postpaid services require an account number.

        I haven't worked in the space where I'd perform a port for a long time, however given the pre and post paid customer management system was the same, I'm prepared to bet a DOB could still be used for a post paid port.

    They should just refuse to port numbers unless you do it in person, in a store, with the original SIM presented at the time (along with identification).
    Why can't I request my provider make this a setting on my account?

      Whilst that addresses the security aspect, it would do two undesirable things:
      1. Put a massive support load on stores, which are predominantly a sales outlet, and still have to ring it in anyway
      2. Impact heavily on businesses. A huge amount of SIM swaps are from staff either bringing their number in or out of a business

      Ironically, the business SIM swaps are subject to a much larger degree of authentication.

      Most carriers will allow you to have a PIN on your account for MACs. The problem is that it is not always enforced.

        Not to mention that the system is fairly automated these days. If a carrier gets a valid port request, they have to release the number. No ifs, ands or buts. If the authorisation details match, port gets fulfilled.

        The onus is really on the new provider to do their due diligence at the time of placing the request. With online activations now, that's not really happening.

        If the port is placed in store, you've generally got a young retail operator who may not have the skills or awareness to pick a fake ID or someone not on the up and up.

Join the discussion!

Trending Stories Right Now