What's a SIM Card?
SIM cards are the heart of our mobile devices where regular phone and communications are concerned. They're the tiny little cards we don't often think about that slide inside our mobile device and make our mobile number for phone calls and data plan for using the Internet work.
SIM is another acronym that stands for Subscriber Identification Module. This little card is what connects your device number and subscriber plan to carriers network using a private key that's embedded in the card itself. Why should we have to think about them at all - ever?
What's SIM Swapping?
There is a kind of crime on the rise called "SIM swapping." This nefarious activity by criminals involves deception and in many cases social engineering. In a nutshell, it goes something like this: criminals case your number ahead of time and then visit your mobile carrier most often in person (an AT&T or Verizon or T-Mobile or Sprint store) and choose a new or simple-minded or super-nice and helpful representative that appear to be easy to manipulate. They’ll impersonate you using fake ID and compelling stories to get the representative(s) to work around established security protocols until they get what they're after - control of your account and ultimately your SIM card.
These criminals aren't so much interested in your text messages or phone calls as much as they're keen on taking control of your two-factor authentication (2FA) messages from valuable accounts like banking that you have taken extra steps to protect.
Minimize Your Risk Of Getting Swapped!
Once criminals get control of your SIM card, there's going to be a period of damage control that can often take years to clean up depending on how quick and cunning they were. We always prefer being pro-active to minimize these kinds of preventable risks and here's our tips:
Use An Authentication App
Using SMS or text message via your real mobile number to receive 2FA codes to login to your most valuable accounts might be easy and straightforward but it makes you super-vulnerable to SIM swapping. We recommend using an app instead, like Authy, Google Authenticator, or Duo instead. We call this "out-of-band" and this approach insulates you against SIM swapping attacks by diminishing the value of your SIM card for the purpose of 2FA.
Set A PIN On Your Account
Call your mobile carrier and ask to set a PIN on your account. Doing this makes it more challenging for criminals to take control of it. By protocol, carrier representatives cannot make changes to your account without that PIN, which is typically a number from 4-8 characters in length.
Don't Use Your Real Mobile Number
If you don't have to share your real mobile number in your social media accounts - don't. "What does that mean?" you might ask. You can use any VoIP service, such as Google Voice, Ring Central, etc. to create an online "phone number" that you can use in place of your real mobile.
Why is this a great idea? Once criminals have taken control of your SIM and thereby your mobile number, the first thing they typically do is lock you out of your primary email accounts and use these to gather more information they can use to get closer to your crown jewels - your assets - before reselling your information on the Dark Web.
Removing and abstracting your real mobile number from your most valuable online accounts vastly reduces your risks in a successful SIM swap, especially where you have to associate a mobile number to an account.
For example, sign in to the Google Account page and edit your mobile number in the Personal Info section. If you see your mobile number there, replace it with a VoIP number like Google Voice, Ring Central, etc. or remove it altogether (as long as you have another option for receiving 2FA first!).
Remove your mobile number from the Security section, in the Ways we can verify it’s you - this is another good spot to use a VoIP number and not your real mobile. Note that 2FA is turned off in this screenshot. Be sure to re-enable it once you've set up authenticator or are using a VoIP number to receive those 2FA codes so you don't lock yourself out.
Here's another example using Amazon: In Your Account, select Login & Security. Remove your mobile and/or add a VoIP number here.
PayPal is another regular target for criminals. Do the same thing here by clicking the settings (gear icon) in the upper-right-corner of the page once you login. Click Phone and remove your real mobile and add a VoIP number instead to sleep much better at night.
Likewise, consider removing your real mobile number from all your social media, retail, and especially your financial accounts.
Encryption Is Your Friend
Typical text and SMS messaging wasn't ever designed to be private. We recommend instead using an end-to-end encrypted messaging app like Signal for peace of mind especially when sharing sensitive info with others like passwords, logins, or other information you wouldn't want just anyone to easily get access to.
Don't go changing too much! Continue to be your kind, sensitive, and helpful self but don't let the baddies take advantage of you. Be kind but skeptical about anyone asking for your personal info in person, via email, and/or text and don't be afraid to ask for verification, call them back using a legit number - in a nutshell trust but verify. No one will fault you for it and it just might save your identity someday.
May The Worst Not Come To Pass
It's not at all unusual for people to be unaware they've been SIM swapped until it’s too late. There are often precursors to the biggest warning sign of all - a total loss of cellular reception on a mobile device.
While banks and mobile carriers do their best to ensure everyone under their employ consistently follows security protocols to help prevent SIM swapping from happening there is no 100% fool-proof solution. The best approach to do more than just one thing to help prevent it, which is why we list a few recommendations above. We call this Defense-in-Depth. By putting multiple security controls in place, we can significantly raise the cost for a criminal who will hopefully give up and seek out an easier target.
Thanks for reading - please share these tips with your loved ones to help ensure their year won't be ruined by something that may have been prevented with a few pro-active steps.