With SIM swapping, a criminal ensures that all of the victim’s calls and text messages are redirected to the fraudster’s SIM card. This allows them to impersonate the victim and also to overcome two-factor authentication.
With SIM swapping, the attacker effectively takes control of the victim’s SIM card. This is not done by stealing or hacking the SIM card. Instead, the fraudster contacts the victim’s cell phone provider (whose phone number they know) and pretends to be the victim and to have lost their cell phone. The fraudster then asks for the SIM card data to be ported to another SIM card or for a replacement SIM card.
If the fraudster has spied out enough personal information from the Internet or spyware on the victim’s computer (date of birth, mother’s maiden name, pet’s name, elementary school, PINs or similar), the fraudster can credibly pretend to be the victim on the phone and arrange for the data to be transferred or order a replacement SIM card and then intercept it by post. In some cases, criminals also work together with accomplices who work for the telephone companies. However, the result is always the same: The criminal ends up with your cell phone number.
SIM swapping is much more than a nuisance, because fraudsters can use your phone number to do a lot of damage. First of all, you can of course make calls and pretend to be you, because many of your business contacts, both individuals and institutions, have saved your phone number and use it to verify you silently.
However, fraud using SMS messages is even more popular. This is because many online services now use text messages for two-factor authentication. Due to many massive data leaks in recent years, cyber criminals now have access to millions of usernames and passwords. (Perseus customers can check here to see if any of their accounts have been affected). Two-factor authentication ensures that they still can’t gain access to your data – unless they have access to your text messages. What’s more, many online accounts now allow you to reset forgotten passwords using a code that you can have sent to you as – you guessed it – a text message. In such a case, you only need the user name and the SIM card to gain access to customer accounts with online retailers, banks or other companies.
And perhaps the worst case of all: some banks still work with mTans, i.e. bank TANs that are sent to the customer’s cell phone as a text message. If someone in such a case knows your bank access data and has access to your cell phone, they can empty your bank account.
The most important thing: act quickly! If you suddenly can no longer make calls and no longer receive text messages, even though everything else is technically in order, contact your mobile phone provider immediately and block your SIM card.
If you have the option of using a second e-mail account instead of text messages for two-factor authentication, use this option.
As a precaution, you can also contact your mobile phone provider directly and ask them to set up a security PIN without which no one can make changes to your customer account – in other words, don’t order a new SIM card either.
