SIM Swapping - How Attackers Hijack Phone Numbers
About 2 min read
SIM swapping is an attack technique in which an attacker impersonates a victim to a mobile carrier and, by getting a SIM card reissued or a number ported, hijacks the victim's phone number. The attacker intercepts the two-factor authentication codes sent via SMS and illicitly manipulates bank accounts or cryptocurrency exchange accounts. In 2024, the FCC enacted new rules to counter SIM swapping, requiring mobile carriers to implement additional authentication.
Real-World Use Cases
"We received a report from a customer that 'my phone suddenly lost all signal,' and we suspected SIM swapping. Our investigation revealed that the attacker had used social engineering to deceive a phone shop clerk and successfully had the SIM reissued. SMS authentication was bypassed, and about 3 million yen was drained from the cryptocurrency account."
The SIM Swap Flow
Historical Background
SIM swapping surged around 2018 alongside the spread of cryptocurrency. In the United States, an incident in 2019 in which the Twitter CEO's account was hijacked through SIM swapping drew widespread public attention. According to an FBI report, losses from SIM swapping reached about 68 million dollars in 2021. In Japan, too, cases exploiting fraudulent mobile number portability (MNP) have been reported.introductory books on mobile security (Amazon) provide a systematic way to learn more.
Defense Methods
The most important countermeasure is to migrate from SMS-based two-factor authentication to a TOTP app (Google Authenticator, Authy) or a passkey. SMS authentication is vulnerable to SIM swapping, and NIST does not recommend using it. It is also effective to set a PIN code or passphrase with the mobile carrier so that a SIM reissue requires additional authentication. By protecting your mobile carrier's online account with a unique, strong password for each service and strengthening your smartphone lock, you can greatly reduce the risk of SIM swapping.books on authentication security (Amazon) are also helpful references.
Was this article helpful?