WatchGuard Blog

SIM swapping, an ongoing threat

Although SIM swap scams or SIM swapping have been around for a number of years, it’s hard to pinpoint exactly when they first appeared. An ENISA report states that as early as April 2016, the British media reported an incident of bank account theft using this technique. In the United States, the first documented case of large-scale SIM swapping was the Joel Ortiz case in 2018. Ortiz became the first person to be convicted of this crime, after pleading guilty to stealing more than $5 million in cryptocurrencies from 40 victims.

Even though we have known about it quite some time, SIM swapping is still an ongoing threat in the world of cybersecurity. Despite its known vulnerabilities, many companies continue to use SMS as an authentication method due to its ease of implementation. This text messaging service is a standard feature offered by virtually all mobile phone operators worldwide. You don’t need to have a smartphone either, most basic cellphones support SMS too, making this form of authentication the most accessible. 

How does SIM swapping work? 

SIM swapping is a type of cyberattack that seeks to take control of your cellphone to access your online accounts. Unlike other threats, this attack focuses on a common authentication factor: verification codes sent by SMS or phone call. This is how it works:

  • Cybercriminals obtain your cellphone number. They can do this by deploying several techniques, such as malware, phishing, or even buying your information on the dark web. 
  • They impersonate you when communicating with your mobile operator. They try to convince the operator to activate a new SIM card with your number. 
  • With the new SIM card activated, they intercept verification messages (OTP) and 2FA codes. With these codes they can access your online accounts, such as your corporate email. 

While cybercriminals use a variety of techniques to obtain their victims' phone numbers, such as those mentioned above, more sophisticated methods have been reported recently. In the United States, for example, a case has been detected where an individual accessed a contact list of T-Mobile employees and offered them bribes in exchange for SIM swaps. In August last year, a financial services provider warned about a similar attack: an employee's T-Mobile account was compromised without the company or the employee's knowledge. The attacker accessed files containing personal information about BlockFi, FTX, and Genesis customers.

Although it has not been confirmed whether bribery was involved in this particular incident, it certainly makes it much easier for cybercriminals to do their job.

How can you keep your employees and customers safe?

Regardless of the size of your company or whether you are a managed service provider (MSP) trying to protect your customers, multi-factor authentication (MFA) is no longer an option, but a necessity. Relying solely on traditional authentication methods such as passwords or SMS codes can be risky, as it exposes you to SIM swapping attacks.

Implementing a robust MFA solution that combines secure authentication via push notifications or QR codes, with an additional authentication factor based on the DNA of the mobile device, ensures that your employees or customers (in the case of MSPs) are protected. This additional protection ensures that even if an attacker manages to clone a user's device, they will not be able to access their accounts because the DNA of the cloned device won’t match and will be blocked.

If you would like to learn more about how to protect against identity attack, check out the following posts on our blog: