Imagine if someone grabbed your phone, took out the SIM card, put it in their device and ran off with it. Now imagine if someone did all that, without even touching your phone. This is SIM swapping.
What is it?
SIM swapping is when a malicious third party attacker takes control of your phone number by having it transferred from your SIM card to another one. The ultimate goal here is to gain access to your SMS messages, which are often the method through which 2FA security tokens and password reset codes are delivered to you.
Once an identity thief has access to your SMS messages, it wouldn’t take much effort for them to reset the passwords of your online accounts and lock you out of them, even the ones with 2FA.
How does it work?
What's being exploited here isn't a technical vulnerability or security flaw, it's simply human nature.
Through good old fashioned social engineering, a hacker may call up your mobile phone carrier pretending to be you or someone who knows you, and convincingly request that your number be transferred from one SIM card to another. If they can get the person on the other end of the line to believe them, that’s all it would take.
If that sounds like an unlikely scenario to you, then consider this: according to a recent Princeton University academic study, five major US prepaid wireless carriers were found to be vulnerable to SIM swapping attacks. The risk is more likely than you think.
What can you do?
If you become aware that you’ve been targeted in a SIM swapping attack, the first thing you should do is contact your mobile phone carrier immediately. After explaining the situation to them and verifying your identity, they should be able to undo the switch and get you your number back.
But a lot of damage could be done while the hacker has control of your number. To mitigate that damage, be sure to set up 2FA for your accounts, and more importantly, use a dedicated authenticator app to receive the tokens, not SMS.
This way, even if the hacker knows the password to your account, the 2FA token they’d need to provide when attempting to log in wouldn’t be sent directly to them through SMS, but instead to you, through the authenticator app you’ve chosen to receive it through.
In addition to storing passwords, Myki also doubles as a 2FA authenticator, allowing you to set up 2FA for all stored accounts that support it and securely receive your security tokens through it.
Download Myki on mobile or desktop and start taking control of your digital identity.