The increasing number of services are using your phone number to identify you, sometimes in addition to your email address. While that can come in handy in some cases — i.e. mobile services and multi-factor identification — sometimes there is no good reason to provide yet another personal detail to a third party. And by giving your phone number to some online service, you can potentially become a victim of a SIM swapping attack.
Also known as a port-out scam or simjacking, SIM swapping is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile phone.
In order to perform this sort of attack, a malicious party uses social engineering to convince your mobile operator to issue a new SIM card, and to reroute all calls and text messages to this new card. This can then allow the fraudster to intercept any one-time passwords sent via text or phone calls sent to the victim, and thus to circumvent any security features of accounts that rely on text messages or phone calls for verification (security) purposes.
There are a few things you could do to protect yourself from falling victim to this threat:
1. Don’t give your phone number that easily
We can’t say you should never give your phone number cause that won’t do it. Sometimes you may need a service that requires your phone number and if that’s the case — go for it. Just make sure it is a reputable company that is asking for your phone number.
While we understand that many online services want to collect as much data as they can on their customers, many of them will work just fine without having all those details at hand.
2. Use different kinds of two-factor authentication
Instead of giving online services your phone number, see if you can opt for a different kind of two-factor authentication. There are multiple authenticator apps on the market — including one made by Google — as well as hardware security like those relying on the FIDO U2F standard.
These other options will ensure that access to your accounts is not dependent on your phone. So if your phone number is the only method of identification, make sure to set a secondary password to keep people out.
3. Consider a prepaid SIM card
It could be a pain, but considering the risks involved — you may want to get a prepaid SIM card and use it for signing-up to little known services. Mind you, we are talking about prepaid SIM cards that are not tied to a name or another form of identification.
By using these kinds of SIM cards you can’t fall victim to a SIM swapping attack. After all, no amount of social engineering will help the malicious third party get your details from a mobile operator — cause it doesn’t have any details to share in the first place.
4. Lock your phone account
You may want to explore the option of putting a lock on your phone account. Contact your mobile operator and ask about available options to protect yourself from a SIM swapping attack. Don’t worry, this won’t sound crazy as you may think, with some providers even allowing users to set passwords for customer service. Without that password, neither you nor a malicious third party will be able to get to the customer service representative — which in turn can enable SIM swapping.
Or, if that’s possible, you may want to allow the operator to enable the change of a SIM card only when you physically visit their branch. This will make it impossible for a hacker to trick you/them out from another city.
Those are the basics and, as that’s usually the case, you should read the terms of the service you’re signing up for, do your due diligence – and only then offer them your phone number. It is better to put in more time in advance to research stuff than later be sorry that something went wrong. Cause it could go wrong.