The IT Nerd

Recently a friend of my wife’s was doomscrolling on her phone and suddenly her phone went into SOS mode. Meaning it had no service. Confused by this she hopped into her car and drove to her local Bell store. The Bell employees had a look and determined that something weird was going on. Specifically her phone number was linked onto a Bell account that had the numbers of 20 other people on it. The Bell employee then went into action to get “the fraud department” involved. But while that was going on, someone was trying to use her credit card to buy some high value items. As in $14,000 worth of items. She would later find out about this when the Bell employee told her to phone her bank to see if her credit cards and bank accounts okay. When she made that call, that’s when she got that bad news. He bank told her that what likely happened was that before the purchase went through, Visa who was the credit card company in question would have sent her phone a two factor authentication code to authorize the purchase. Fortunately for her, her bank seeing clear evidence of fraud reversed the charges. But she had to be issued brand new credit cards and a new bank account to boot.

Welcome to the modern reality of the SIM swap attack.

So let’s go down the rabbit hole of what a SIM swap attack is and why it is one of the most common ways that people get hacked, if you want to call it that. SIM stands for Subscriber Identity Module. That’s telco speak for the chip that goes inside your phone to allow you to get cell phone service. Your cell phone number is associated with that SIM and what the threat actor is going to try and do is to either trick a telco employee into moving your number to a SIM that they control, or have an accomplice inside the telco who will help them move your number to a SIM that they control. This is an example of the latter. And this is an example of a Freedom Mobile customer who fell victim to the former.

And before those of you who might have an eSIM which is an electronic SIM that is sent over the air, or via a QR code, or via an app to a special chip inside your cell phone says that you can’t get pwned in this manner. You can absolutely be pwned in this manner. eSIM’s are simply non-physical SIM’s. The attack method is still the same.

These attacks are either highly targeted, or opportunistic. The former involves the threat actor learning a whole lot about you to not only to figure out if you are a target worth their time, but to know how to quickly take over the accounts that they are interested in. In terms of the latter, I have begun to hear of situations where a target is sent a text message that purports to be a telco, and the victim is sent to a phishing website that gathers enough information about the victim to allow the attack to proceed. Here’s an example of another Freedom Mobile customer who fell for this.

So in short, a SIM swap attack is a means for a threat actor to take control of your number to get access to two factor authentication codes that allow the threat actor to take control of anything from social media accounts, to bank accounts, to crypto wallets. That’s because two factor authentication codes are often sent by text message. And since the threat actor is unlikely to get direct access to your phone, taking over your SIM is the next best option.

The question is, what can you do to protect yourself? Sadly, there’s very little that you can do to stop this from happening. The reality is that telcos need to come up with far better security to stop SIM swap attacks from being executed. The fact that insiders who work for a telco can help to execute a SIM swap, or someone can simply walk into a telco store and execute a SIM swap with enough information about you along with fake ID in most if not all cases reflects poorly on telcos and their ability to protect their customers. Now I’ve highlighted Bell and Freedom Mobile in this story. But all telcos need to step up their game here because they are all not doing enough to stop SIM swaps from happening.

Having said that, you can mitigate the dangers that SIM swaps pose. Instead of using text message based two factor authentication, you can use an app-based authentication program, like Google Authenticator. For another level of security, you can choose to purchase a physical authenticator token, like the YubiKey or Google Titan Key. All of this assumes that the online accounts support these options of course. But by doing any or all of these means that if a SIM swap happens, the threat actors get nothing.

You should also check to see if your online accounts directly support sending authentication codes via an app on your phone. For example my bank allows me to send two factor authentication codes via their app and not via text message. That makes accessing my bank account way more secure because again, a threat actor gets nothing if a SIM swap happens.

Finally, if your telco has the option to add a PIN or personal identification number to your account, do it. And pick one that isn’t associated with anything like a phone number or a license plate number for example. And if possible see if your telco has the option to set your PIN yourself. That way a rogue telco employee can’t use it against you.

So what happens if you are a victim of a SIM swap? As in you notice that your phone is in SOS mode meaning that it has no service. Time is of the essence if you are a victim. This is what you need to do in order:

• First, call your bank and credit card companies and request a freeze on your accounts. This will prevent the attacker from using your funds for fraudulent purchases.
• Try to “get ahead” of the attackers by moving as many accounts as possible to a new, un-tainted email account. Unlink your old phone number, and use strong (and completely new) passwords. For any accounts you’re unable to get to in time, contact customer service.
• Call the police and file a report. This is a crime and it needs to be reported without fail.
• Contact credit bureaus and request a freeze on your credit. Or at least credit monitoring.
• Contact the telco in question, preferably in person and get them to not only reverse the swap, but to investigate how it happened. Though from what I have heard, telcos often don’t want to properly investigate SIM swap incidents. And if they do, they tend not to want to talk about it.

Finally, I should also note that some homeowner’s insurance policies include protection for identity theft. But that only means something if you’ve filed a police report. So you should look into that.

As I mentioned earlier, all telcos need to step up here and make these sorts of attacks less viable. But until telcos take meaningful action on SIM swap attacks, you need to take action to protect yourself from being a victim.

This entry was posted on February 16, 2025 at 8:23 am and is filed under Commentary with tags Scam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.