5 ways to defend your phone against SIM swap attacks
Here’s a new term to fear: SIM-swapping.
In short, a cyber-criminal steals a certain amount of your personal data, including your phone number. He contacts a different carrier, pretending to be you, and claims to have lost “his” phone. He convinces the carrier to supply a new phone and SIM, then he disconnects the “old” line and transfers “his” apps and information from the cloud.
This kind of data mining is of little surprise. Security researchers recently found 21 million stolen logins for sale on the Dark Web. Tap or click to see how weak passwords are to blame.
But it gets worse. In theory, you have two-factor authentication, which would help prevent a security breach. Not sure how 2FA works? Tap or click to see why you should be using this powerful security tool on all your accounts.
With SIM-swapping, the criminal controls your phone using a different device. So the 2FA text message that would normally alert you to the thief’s presence never reaches you.
Suddenly your phone doesn’t work, and while you’re trying to figure out what’s wrong with it – without being able to make calls – the hacker is easily digging through your apps and files, gorging himself on your private data, and likely even your bank account information.
By the time you’ve caught up, your passwords have been changed and you are stuck desperately trying to regain control of your own accounts.
More than 3,000 people have lost access to critical accounts, thanks to SIM-swapping, with some reporting being blackmailed in addition to having their identities stolen. It’s one of the most difficult cybercrimes to prevent and fight against.
To make this sophisticated crime worthwhile, victims tend to be wealthy or high-profile individuals. Everyday folks are less likely targets, but anyone can be at risk. Here are a few ways to stay safe:
1. Keep your personal information safe
One thing that makes SIM-swapping possible is the leaking of personal data.
In many cases, this data is stolen through major breaches and sold on the Dark Web. Cybercriminals use fake IDs or cherry-pick public records. They may even bribe retail employees into providing the information they need. These kinds of leaks may be beyond your control.
Related: You’re at the airport, the mall or waiting for an appointment and your phone is dying. Then you spot a free charger! Great news, right? Not so much. Tap or click to find out why you need to avoid public charging stations.
But phishing scams, in the form of emails and texts, are designed to trick unsuspecting users into exposing private data. Deflecting these attempts is your first line of defense.
You should always investigate suspicious emails or unexpected correspondences to prevent identity theft. Tap or click here to find out which companies are the biggest targets when it comes to email spoofing.
2. Invest in a security key
Security keys are a new way to authenticate your identity online, and they’ve received acclaim from cybersecurity experts across the board. These small, USB-powered devices act as a physical key to your account and must be inserted into your computer when you log in.
Two of the most popular brands on the market are Yubico and Google Titan, both of which provide keys that work with computers and mobile products. The phone-based products are Bluetooth compatible and give you the same benefits a USB key would for a desktop machine.
Unfortunately, not every platform currently supports security keys. Click here to confirm whether a given website works with these products. Look through the categories listed or type your website into the search field to see if your platform of choice is compatible.
3. Set up a two-factor authentication app
As I mentioned, SIM-switching is designed to circumvent 2FA – but only if your 2FA relies on text messages on your phone. A 2FA application will help you protect yourself because you can often use this app without your phone, or by using Wi-Fi.
One example: Gmail users can enjoy a free 2FA protection plan by signing up for Google’s in-house Authenticator app. This app essentially replaces the need for your phone number and generates a one-time code for you to enter each time you log in. This is one of the most direct ways to circumvent SIM swapping.
To use Authenticator, you’ll need to set up 2FA on your Gmail account first. Once you’ve set up Authenticator, you’ll stop receiving text messages when you try to log in. Keep in mind: if you lose your phone, you’ll have difficulty getting back into your account; however, this is by far the most ironclad protection against SIM swapping.
Tap or click here to download Authenticator for Android.
Tap or click here to download Authenticator for iOS.
4. Create a PIN
A cybercriminal may trick your carrier into switching SIMs, but you can also work with your carrier to catch potential identity thieves. One of the most popular ways is setting up a passcode or PIN for your mobile account.
Don’t get lazy and settle for an easy-to-crack PIN or password. Tap or click for 5 ground rules to create secure passwords.
Some carriers, like T-Mobile, require a PIN to make any changes to your account by default. If you’re not sure whether your account has a PIN, call your carrier and explain you want to set up an authentication passcode or PIN to verify your identity.
Once your carrier has set up a code, any would-be impostor will need to provide this number to gain access to your phone number. Make sure to write your PIN down and keep it in a safe place where nobody else can access it. We recommend not storing this digitally and choosing a number no one can guess.
5. Notify your carrier
If all these defenses fail and your SIM is compromised, you’ll have to act fast. Contact your carrier, either in person or by using a trustworthy phone. Notify the company that your SIM has been stolen and you need to switch off the new phone immediately.
You also want to remotely log out of any accounts that have been accessed by said cybercriminal. This kind of invasion can cause ripple effects for months and years, but the faster you act, the less damage you’ll need to control.
Tags: cybercriminals, cybersecurity, Google, security