An iPhone or iPad with two-factor authentication may not be as secure as you think.
SIM swapping is serious because it gets around the “extra layer” of security on your phone.
The FBI and U.S. Department of Justice are reporting more SIM swapping crimes, many involving millions of dollars.
Last month, the FBI cited a notorious SIM swapping case at the top of its 2019 Internet Crime Report (PDF).
In that case, a cybercrime gang caused approximately $40 million in losses, with the FBI seizing $18 million, five vehicles, a $900,000 home, and hundreds of thousands of dollars in jewelry. (And see this recent case in Canada involving millions of dollars and this recent Massachusetts case where criminals stole, or attempted to steal, over $550,00.)
And there was this case of a ZDNet contributor having his life turned upside down after falling victim to SIM swapping.
The upshot: In 2020, smartphone users should be aware of SIM swapping because it gets around two-factor authentication, which is touted as an “extra layer” to stop fraudsters.
What is SIM swapping?
In a SIM swap, a wireless carrier is duped into porting your SIM to a criminal’s SIM, as this Norton security blog explains.
Typically it goes something like this: the scammer, pretending to be you, calls your carrier and claims to have lost their SIM card. Feigning desperation, they ask the customer service rep to activate a new SIM card, which, of course, the bad guy just happens to have.
Once this happens, your phone number has been ported to the fraudster’s phone.
With access to your phone number, they can initiate phone communication with your bank via text messages. Then they will try, for example, a password reset, which is sent to the criminal’s phone. If this is successful, they’re in.
And the scammer will get all the text messages, calls, and data that was on your phone.
How do criminals get past security questions?
There are so many ways to steal your personal data these days that’s it hard to cover them all. They may steal sensitive personal information through phishing emails or pay for your data residing on the dark web or they may get it via social media engineering such as pretexting. Or they may simply scrape your data from social media sites such as Facebook.
How to protect yourself from SIM swapping
- Boost your account security, says* Norton. Use a unique, strong password and strong questions-and-answers (Q&A).
- PIN: if your carrier provides this option, do it. It’s another layer of protection that could stop the bad guys in their tracks.
- IDs: diversify. Your identity authentication shouldn’t be based solely around your phone number.
- Be on the alert for scammers using social media engineering such as pretexting. Here, they pretend to need personal information to confirm your identity.
- Set bank and mobile carrier alerts: make sure you’ve activated these alerts with your bank and mobile carrier.
- Authentication apps: there are authentication apps out there such as Google Authenticator, one from Microsoft, and another from LastPass. They give you two-factor authentication but tie it your physical device, not your phone number.
*The FTC offers tips to fight SIM swapping too.