SIM Swapping Attacks

A Subscriber Identity Module (SIM) card is a physical, removable smart card that contains subscriber identification data and authenticates a subscriber on a mobile device to a specified wireless carrier network. SIM cards contain data, such as user identity, location, mobile phone number, network authorization data, personal security keys, contact lists, and stored text messages. They also provide indirect access to the subscriber’s accounts, such as wireless carrier, email, social media, financial banks, and digital payment systems. For account security, subscribers typically set up phone calls or SMS text messaging as a second factor for multi-factor authentication (MFA) to log into accounts, recover account passwords, and receive account notifications for changes and updates. An embedded SIM (eSIM) card has similar functionality and security protections as a SIM card; however, eSIM cards are not removable and must be programmed. Also, for eSIM card-supported devices and wireless carriers, subscribers can easily switch between multiple mobile phone numbers using one mobile phone. 

Wireless carriers offer SIM swapping as a legitimate service to change the SIM card and its associated mobile phone number. They also offer SIM port outs as a legitimate service for subscribers who want to transfer their mobile phone number to another wireless carrier. When a SIM swap or port out is initiated, subscribers are required to verify their identity, such as first and last name, date of birth, last four digits of Social Security number, account PIN, security questions and answers, or driver’s license. Personally identifiable information (PII), along with other information such as account login credentials obtained from data breaches or public information, can be used and exploited by threat actors through SIM swapping attacks, or SIM hijacking. Threat actors initiate these attacks by impersonating the subscriber, contacting the wireless carrier via phone or visiting in person, and providing identity verification verbally or by presenting fake identification to convince the wireless carrier employee that they are the subscriber on the account. They may claim that the mobile phone and associated SIM card were lost, stolen, destroyed, or sold accidentally with the SIM card left inside. They use social engineering to convince the employee to assign the subscriber’s mobile phone number to a new SIM card on a device the threat actors own with the same or a different wireless carrier. If successful, the victim’s SIM card is deactivated and the new SIM card that the threat actors control is activated. The threat actors are then able to gain access to the victim’s mobile phone number to receive phone calls and SMS text messages on the victim’s behalf, which may be used as a second factor for MFA or as a recovery method for an account. 

Threat actors can take advantage of obtaining account login credentials from data breaches and public disclosures, the victim’s highly insecure practice of password reuse in which the same password is used for multiple accounts, and the acquisition of the victim’s mobile phone number. By utilizing and exploiting the phone call or SMS text message notifications, they can authenticate and access the victim’s accounts, reset passwords, change PIN codes and security questions and answers, and change the second factor for MFA with little effort. Once passwords are reset and the second factor for MFA on accounts is changed, victims are locked out of their own accounts, victim information can be updated or stolen, new accounts and services can be opened and started in the victim’s name, and additional mobile phone lines can be added to the victim’s compromised wireless carrier account. Threat actors can also gain access to financial accounts, including banking, loan, credit card, cryptocurrency, investment, tax return, and retirement. These types of accounts all provide a wealth of information and funds threat actors can use to perform transactions, purchase digital currency, and transfer funds to accounts they control. Victims may not notice right away that they lost wireless service and may not receive phone calls, SMS text messages, or notifications of account changes or updates. In some cases, the SIM card is intentionally changed during the night while victims are asleep and wireless carrier stores are closed to allow threat actors more time to quickly do more damage and compromise the victim’s accounts without immediate detection or remediation. To address and revert the unauthorized change, victims must verify their identity in person at their wireless carrier store, which can be challenging and frustrating if the victim must wait until the wireless carrier store opens, thus delaying recovery of their mobile phone number, SIM card, and compromised accounts. Losses from SIM swapping attacks can range from several hundred dollars to several hundred thousand dollars.

Tactics

SIM swapping attacks were first observed in the early 2010s, including those reported in the FBI Internet Crime Complaint Center (IC3) 2013 Internet Crime Report. Additionally, this method of attack was popularized in an online forum called OGUsers, where forum users search for desirable Instagram handles and perform SIM swapping attacks to take over the account and transfer the handle to their personal account. These attacks have now become more centered on identity theft and fraud, as threat actors have realized the potential risk and reward of these attacks. They have started targeting wealthy individuals, particularly in cryptocurrency, to access their financial bank and cryptocurrency accounts. 

Aside from most cyberattacks, SIM swapping attacks are almost exclusively targeted in nature since threat actors must swap a specific mobile phone number, usually obtained from leaked or stolen information. To perform these attacks, threat actors may work independently or in affiliation with a group to breach organizational resources, including facilities, personnel, information, equipment, networks, and systems. They may also use social engineering to infiltrate physical wireless carrier stores and entice, recruit, and bribe wireless carrier employees to use their access to an organization’s assets in a way that could negatively affect the organization. They may also seek out employment opportunities on online forums to become innys, short for insiders, to make money performing SIM swapping attacks. Types of insider threats include malicious, negligent, and accidental. Access to insiders limits the barrier to entry of these attacks, as threat actors only need a fraction of the identifying information to complete the SIM swap. 

SIM swapping attacks are just one small part of a larger scheme. Threat actors having access to a victim’s mobile phone number is extremely powerful in leveraging access to the victim’s accounts. For example, with the rise of cryptocurrency and lack of due diligence with cybersecurity best practices, threat actors can easily search forums and social media and target cryptocurrency account holders who boast about their successful cryptocurrency investments. In 2018, a 15-year-old New York resident, Ellis Pinsky, targeted a businessman named Michael Terpin. Pinsky and his accomplices identified their target through leaked information on a hacking forum. The threat actors then paid a T-Mobile employee a few hundred dollars in a physical store in Connecticut to perform the SIM swap. Once successful, they attempted but failed to access one of Terpin’s crypto wallets containing Ethereum. They proceeded to try to find other crypto wallets owned by Terpin, and they found a lesser-known service called Counterparty, where Terpin held $23 million of a lesser-known cryptocurrency. The threat actors accessed the crypto wallet, laundered the money through other cryptocurrencies, and drained it. Pinsky made the mistake of transferring some of the funds to his personal wallet to confirm that it was legitimate, which led to the operation’s downfall. In meetings with Terpin after the attack, Pinsky revealed that he and his accomplices performed this exact type of attack multiple times before. Bribing a wireless carrier employee to perform the SIM swap is one of the lowest-effort SIM swapping methods if the employee is willing to go against company policy and engage in unethical behavior. 

In another SIM swapping scheme, two young threat actors were indicted for calling wireless carrier employees to convince them to navigate to phishing websites impersonating the employee login portal to harvest their account login credentials. If entered, the threat actors stole and used these credentials to log in to the wireless carrier systems to perform many SIM swapping attacks, which enabled them to reset passwords for multiple victim accounts, including email, social media, cryptocurrency, and other online platforms. The threat actors reportedly stole over $16,000 from a victim’s cryptocurrency account, with the possibility of additional unreported victims. This scheme ended due to a dispute between the two threat actors over the distribution of the $16,000 and one calling the local police to send a SWAT team to the other’s house. 

In a similar scheme, a cybercrime group dubbed Scattered Spider has been targeting the telecommunications industry since June 2022. They use social engineering tactics, such as vishing, SMiShing, Telegram messages, and impersonating IT staff at organizations, to gain employees’ trust and convince them to navigate to phishing websites where the threat actors could steal account login credentials or to download remote access tools to victim networks. They also convince victims to provide account access by convincing them to share their MFA one-time password (OTP) or through an overwhelming number of MFA requests known as MFA prompt bombing. Scattered Spider also exploited an unpatched Amazon Web Services vulnerability that allowed the group to compromise user accounts. Through elevated access from several attack vectors, these methods enabled the threat actors to gain access to the victim organization’s MFA console to add their own devices and assign themselves to compromised users accounts to retain access to the compromised system, allowing them to gather subscriber data and perform SIM swapping attacks. Leaked information can also aid threat actors in completing these attacks through the respective telecommunications network. 

Additionally, threats actors used social engineering, SIM swapping attacks, and remote desktop software to commit further malicious activity. Threat actors posted a real estate listing priced lower than market value, enticing many interested parties and informing them that the seller needed money urgently and they were out of the country where the property was located. A “relative” of the seller contacted and convinced two potential victims to install AnyDesk, a remote desktop protocol software, to send additional pictures of the property. The software was used to extract the victims' sensitive files containing passwords and PII in order to access victims’ bank accounts. While MFA was enabled, they bypassed it by contacting the two victims’ wireless carrier, using the collected PII to verify the victims’ identities, and successfully swapping the SIM cards to wipe $350,000 from both bank accounts. 

These examples highlight that SIM swapping attacks are a tool to gain further access to commit additional malicious activity, especially identity theft and fraud. 

SIM Swapping Protections 

By default, account passwords are set up and used to access the online wireless carrier account. An account PIN or passcode can also be set up on the wireless carrier account to authorize significant changes to the account. Furthermore, implementing any method of MFA on the wireless carrier account and other accounts is beneficial. However, the use of authentication apps, hardware tokens, or biometrics are preferred second factor options for MFA over SMS text-based authentication methods due to the risk of SIM swapping attacks as a vector of compromise. Authentication apps are especially effective, as these apps are only associated with the mobile device they are installed on and would require physically possessing the mobile device and bypassing the lock screen, which is extremely difficult, especially for low-level threat actors. 

Most mobile devices, such as Apple and Android, have the ability to lock the SIM card using a SIM PIN. If the SIM PIN is enabled, it is required each time the mobile device is restarted. Initially, the wireless carrier sets the SIM PIN by default, which can be found by logging in to the subscriber’s online wireless carrier account or by contacting the wireless carrier directly after identity verification. Although the SIM PIN does not prevent SIM swapping attacks, it adds a layer of physical security if the device is lost or stolen by protecting it from others activating the SIM card on another mobile device for phone calls and cellular data. 

Verizon implemented a process in which two employees are required to authorize a SIM swap to ensure the authenticity of the swap. Also, there is a Number Lock option, which allows subscribers to lock any mobile phone numbers on their Verizon wireless carrier account from being ported to another wireless carrier. If the subscriber wants to port their number, they can navigate to that page to unlock the number. Verizon provides guidance on SIM swapping and prevention.

Similar to Verizon, T-Mobile requires two employees, as well as an SMS verification code sent to the mobile phone number, to authorize a swap. Threat actors will not be able to intercept this SMS text message, as the subscriber will still possess the mobile phone number and can report this request if it is unauthorized. T-Mobile provides Account Takeover Protection, which is a free service claiming to offer additional security that can be added to an account. Also, the NOPORT option requires subscribers to visit their wireless carrier store in person to present physical identification to perform a SIM swap or port a mobile phone number to a different wireless carrier. This option is for special cases and at-risk accounts, such as a subscriber reporting their cryptocurrency account was compromised and seeking protections. Supposedly, this option is not advertised publicly by T-Mobile, but it is discussed on forums and is worth requesting to be added to the wireless carrier account. 

AT&T does not advertise any special services or options to help prevent SIM swapping or porting; however, it recommends creating a unique PIN or passcode on the wireless carrier account when authorizing any significant changes to the account online, over the phone, or in person. 

Recommendations

• Security awareness training: Participate in training to help better understand cyber threats and provide a strong line of defense.
• Use unique, complex passwords for all accounts and devices: Unique passwords for each account and device prevent password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• Refrain from sharing or saving login credentials or other sensitive information: Login credentials and other sensitive information should not be shared with anyone or posted in plain view. Avoid auto-saving passwords, payment card numbers, or contact information when prompted by your operating system, browser, websites, or applications.
• Enable MFA where available: MFA is the use of two or more factors to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed. Even if a threat actor obtains a user’s username and password, they will be unable to access that user’s account without their second factor. The NJCCIC encourages users to choose authentication apps, hardware tokens, or biometrics as a second factor over SMS-based authentication due to the risk of SIM swapping, though using any form of MFA is beneficial.
• Exercise caution with communications: Refrain from divulging sensitive information via phone, text messaging, or email without verifying the requestor via a separate means of communication before taking any action.
• Navigate directly to websites: Navigate directly to authentic or official websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials on websites visited via links delivered in messages.
• Use secure websites: Ensure websites are verified, secure, and encrypted when sharing personal or financial information.
• Change the default password: Default passwords for accounts and devices can be used to gain unauthorized access.
• Secure physical devices: Safeguard devices and ensure a password or passcode is enabled for all devices to prevent unauthorized access.
• Keep devices up to date: Stay informed about publicly disclosed vulnerabilities and update devices, including firmware, to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
• Reduce your digital footprint: Refrain from posting sensitive information online. Review and apply the recommendations in the How Big is Your Footprint? NJCCIC product to help reduce your digital footprint and the publicly accessible information that is available for threat actors to more effectively target you.
• Update passwords immediately following a data breach or potential compromise: Use a resource such as haveibeenpwned.com to determine if your information, such as an account password, has been revealed in a public data breach. Change exposed passwords for every account that uses it to protect against account compromise.
• Save your wireless carrier’s customer service phone number in your contacts: Enter the customer service phone number for your wireless carrier in your mobile phone as a contact. The major wireless carriers are:

• • Verizon: 1-800-922-0204
  • T-Mobile: 1-800-937-8997
  • AT&T: 1-800-331-0500
• Set up a PIN or passcode on your wireless carrier account: Contact your wireless carrier to request a passcode or PIN be set up on your wireless carrier account to help prevent unauthorized changes to the account.
• Implement wireless carrier protections: As SIM swapping attacks become more widespread, implement SIM swapping protections offered by your wireless carrier.
• Report victimization to your wireless carrier immediately: Once you realize you have lost wireless service on your mobile device due to a SIM swapping attack, use another phone to call your wireless carrier immediately to report the unauthorized change.
• Monitor and report fraudulent activity immediately: Victims are advised to monitor bank accounts, credit card accounts, credit profiles, and other online accounts for any irregularities or suspicious behavior, especially password changes and fraudulent transactions. Report fraudulent activity immediately to the respective entity.
• PII compromise: If PII has been compromised, review the Identity Theft and Compromised PII NJCCIC product for additional recommendations and resources, including credit freezes and enabling MFA on accounts.
• Report incidents: Report malicious cyber activity to the NJCCIC via the Cyber Incident Report form, or report data breaches to the NJCCIC via the Data Breach Report form.