That's Not How A SIM Swap Attack Works
There's a disturbing article in The Guardian about a person who was on the receiving end of a successful cybersecurity attack.
EE texted to say they had processed my sim activation request, and the new sim would be active in 24 hours. I was told to contact them if I hadn’t requested this. I hadn’t, so I did so immediately. Twenty-four hours later, my mobile stopped working and money was withdrawn from my bank account.
With their alien sim, the fraudster infiltrated my handset and stole details for every account I had. Passwords and logins had been changed for my finance, retail and some social media accounts.
(Emphasis added.)
I realise it is in the consumer rights section of the newspaper, not the technology section, and I dare-say some editorialising has gone on, but that's nonsense.
Here's how a SIM swap works.
- Attacker convinces your phone company to reassign your telephone number to a new SIM.
- Attacker goes to a website where you have an account, and initiates a password reset.
- Website sends a verification code to your phone number, which is now in the hands of the attacker.
- Attacker supplies verification code and gets into your account.
Do you notice the missing step there?
At no point does the attacker "infiltrate" your handset. Your handset is still in your possession. The SIM is dead, but that doesn't give the attacker access to the phone itself. There is simply no way for someone to put a new SIM into their phone and automatically get access to your device.
Try it now. Take your SIM out of your phone and put it into a new one. Do all of your apps suddenly appear? Are your usernames and passwords visible to you? No.
There are ways to transfer your data from an iPhone or Android - but they require a lot more work than swapping a SIM.
So how did the attacker know which websites to target and what username to use?
What (Probably) Happened
Let's assume the person in the article didn't have malware on their device and hadn't handed over all their details to a cold caller.
The most obvious answer is that the attacker already knew the victim's email address. Maybe the victim gave out their phone number and email to some dodgy site, or they're listed on their contact page, or something like that.
The attacker now has two routes.
First is "hit and hope". They try the email address on hundreds of popular sites' password reset page until they get a match. That's time-consuming given the vast volume of websites.
Second is targetting your email. If the attacker can get into your email, they can see which sites you use, who your bank is, and where you shop. They can target those specific sites, perform a password reset, and get your details.
I strongly suspect it is the latter which has happened. The swapped SIM was used to reset the victim's email password. Once in the email, all the accounts were easily found. At no point was the handset broken into.
What can I do to protect myself?
It is important to realise that there's nothing you can do to prevent a SIM-swap attack! Your phone company is probably incompetent and their staff can easily be bribed. You do not control your phone number. If you get hit by a SIM swap, it almost certainly isn't your fault.
So here are some practical steps anyone can take to reduce the likelihood and effectiveness of this class of attack:
- Remember that it's OK to lie to WiFi providers and other people who ask for your details. You don't need to give someone your email for a receipt. You don't need to hand over your real phone number on a survey. This is the most important thing you can do.
- Try to hack yourself. How easy would it be for an attacker who had stolen your phone number to also steal your email address? Open up a private browser window and try to reset your email password. What do you notice? How could you secure yourself better?
- Don't use SMS for two-factor authentication. If you are given a choice of 2FA methods, use a dedicated app. If the only option you're given is SMS - contact the company to complain, or leave for a different provider.
- Don't rely on a setting a PIN for your SIM. The PIN only protects the physical SIM from being moved to a new device; it does nothing to stop your number being ported to a new SIM.
- Finally, realise that professional criminals only need to be lucky once but you need to be lucky all the time.
Stay safe out there.
I do have my old US number ported to Google Voice, where Google's legendary unwillingness to employ humans for anything resembling customer service also means there are no gullible (or corrupt) CSRs to fool into initiating a SIM swap, not to mention there is not even such a things as a Google Voice SIM to begin with. This won't work for UK users, unfortunately, there are UK-based virtual phone number companies, but they are quite expensive, and I doubt their security is any better than the telcos.
I also self-host my email, so there is no password recovery vector, but the Google quasi-monopoly on email is making that increasingly difficult.
The only way forward is for Parliament to pass a law that puts all liability for fraud on the company that still uses insecure mechanisms (basically anything other than FIDO2 or their Passkeys flavour). That's essentially how Chip and PIN was adopted so quickly.
@blog There's something missing between "I did so immediately" and "24 hours later." Did EE refuse to cancel the SIM transfer or what?
@mansr @blog
Did you read linked article from The Guardian? It explains what happened.
More comments on Mastodon.