If you thought you’re being smart and risk-free by having two-factor authentication enabled on all your accounts, we hate to break it to you but hackers have found a way to bypass that too: SIM Swapping.
It’s a destructive method of attack with serious consequences. Fortunately, there are ways to protect yourself from it.
2FA was conceptualized because of the problem of leaked passwords. But many sites fail to properly protect passwords by using hashing and salting to prevent passwords from being read in their original form by third-parties.
It gets even worse when people reuse passwords across different sites. So when one site gets hacked, an attacker gets everything he needs to attack accounts on other platforms. In response to this, many services require that people provide a special one-time password (OTP) whenever they log in to an account.
A “port-out” scam is similar and involves hijacking your phone number by “porting” it to a new cellular carrier.
What happens when an attack takes place?
The first sign would be your SIM card losing all services. You won’t be able to receive or send texts or calls or access the internet through your data plan.
In some cases, your phone provider might send you a text informing you that the swap is taking place, moments before moving your number across to the new SIM card. If you still have access to your email account, you might also start to see strange activity, including notifications of account changes and online orders you didn’t place.
How to protect yourself from SIM Swapping?
Prevention is better than a cure. The best way to protect against SIM-swapping attacks is to not use SMS-based 2FA.
App-based authentication programs, like Google Authenticator, can be a great substitute for that.
You can also choose to purchase a physical authenticator token.
If you absolutely must use text or call-based 2FA, you should consider investing in a dedicated SIM card you don’t use anywhere else.
Unfortunately, even if you use app-based 2FA or a physical security key, many services will allow you to bypass these and regain access to your account via a text message sent to your phone number.
Services like Google Advanced Protection offer more tough security for people at risk of being targeted like journalists, activists, business leaders, and political campaign teams.
Mobile carriers are surely aware of the SIM swapping threat and are offering additional security features like verbal passwords to combat it. But mobile carriers need to significantly change their internal processes. Effectively combating SIM swapping will require a collective training effort to prevent their own customer service workers from falling for SIM Swapping attempts on accounts without additional security barriers in place.
Need to add additional layers of protection to prevent yourself from such attacks? Get in touch with Trixter Cyber Solutions!
You can get in touch with us by simply filling up the contact form here.
Follow Trixter Cyber Solutions on LinkedIn for a weekly dose of useful cybersecurity updates and information.