Beware of SIM Swapping

By Britt Erica Tunick

Just as mobile phones have become commonplace, so too has two factor-authentication as a way of helping to secure everything from online accounts to the electronic locks on people’s front doors. But if your second authentication method is your mobile phone number, you may want to consider changing that.

Accounts secured by two-factor authentication require users to enter an additional password or pin number, which is randomly generated, before they can access their account. In most cases, people provide their mobile number as the contact method for the second passcode to be sent to, typically through a text message. But as criminals have stepped up their efforts to gain access to people’s accounts online, and to use their identities to open fraudulent accounts, two factor-authentication has increasingly been subverted through what is known as SIM swapping.

SIM cards are the tiny chips inside mobile phones that store a user’s personal information and keep the phone from operating if they are removed. Each person’s SIM card has a unique identification number that is linked to their individual phone number and allows a wireless carrier to ensure that calls or data to your number go to the correct phone or device. Since a phone number can only be tied to one SIM card at a time, mobile phone numbers have become a popular way of verifying an individual’s identity.

The problem is that criminals have figured out how to circumvent this through what is known as SIM swapping. These criminals convince a mobile carrier that they are, in fact, you, and that you need a new SIM card for your phone number, either because your phone was lost or stolen, or because you are transferring your phone number to a new mobile carrier. Since the information that most people use to secure their mobile accounts can be easily obtained through a basic Google search or through their social media accounts, such as birthdates or a parent’s maiden name, such efforts are often successful. Once someone has their SIM card linked to your phone number, it means that the secure one-time passcodes generated by banks and other organizations will go to that person without your knowledge. In most cases, people don’t even realize that their SIM card has been swapped until it is too late. And the problem is more widespread than you might imagine, according to Princeton University’s “An Empirical Study of Wireless Carrier Authentication for SIM Swaps.”

Following are a few steps you should take to avoid becoming a victim of SIM swapping:

• Use a second email address as your second verification method for two-factor authentication.
• Substitute a random word for your mother’s maiden name on retrieval questions, as this information is widely available through a simple Google search.
• Be careful not to reveal too much personal information on social media, as doing so makes it extremely easy for criminals to fill in the security questions that you provide for backup account retrieval.
• If you are suddenly unable to make or receive text messages or calls on your mobile phone, check with your mobile carrier to make sure you are not a victim of SIM swapping.
• Do not choose obvious dates for your pin codes such as your birthday or wedding day. Instead, choose something that is unlikely to be found online or through social media.