The U.S. Federal Trade Commission (FTC) issued guidance on how to protect yourself from SIM swapping attacks used by scammers to take control of your phone number, to bypass SMS-based multi-factor authentication (MFA) on your account, and steal your credentials.
SIM swapping (otherwise known as SIM hijacking, SIM splitting, or SIM jacking) is a type of account takeover (ATO) fraud through which attackers get control of a target's phone numbers.
This is done by convincing their mobile phone service providers to swap the phone number to an attacker-controlled SIM card either with the help of a bribed employee or by using social engineering.
Scammers use one of the following three methods to conduct such an attack as Santa Clara County District Attorney’s office detective
Caleb Tuttle told Brian Krebs:
The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company’s network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target’s existing SIM card with a new one.
"Armed with your login credentials, the scammer could log in to your bank account and steal your money, or take over your email or social media accounts," the FTC says. "And they could change the passwords and lock you out of your accounts."
SIM swapping defenseFTC
lists the following measures you can take to protect against a SIM card swap attack:
• Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
• Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts.
• Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
• Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.
Individuals that had their phone numbers stolen in a SIM swapping attack have to follow the following procedure to minimize the potential damages:
• Contact your cellular service provider immediately to take back control of your phone number. After you re-gain access to your phone number, change your account passwords.
• Check your credit card, bank, and other financial accounts for unauthorized charges or changes. If you see any, report them to the company or institution.
If the crooks have already taken control of one of your accounts or have already stolen some of your information including but not limited to Social Security, credit card, or bank account numbers, you need to head over to
IdentityTheft.gov and follow the steps needed to protect yourself from identity theft.
The FTC also provides detailed info on how to
keep personal information secure online and how to efficiently
secure personal information on your phone.
FBI-issued SIM hijacking warningThe Federal Bureau of Investigation (FBI) also published a
SIM swapping alert in March after observing an escalation in the number of SIM jacking attacks.
"The FBI has seen an increase in the use of SIM jacking by criminals to steal digital currency using the information found on social media," stated Special Agent in Charge John F. Bennett of the FBI San Francisco Division at the time."
"This includes personally-identifying information or details about the victim’s digital currency accounts."
Besides outlining the pattern used by the criminals to run SIM splitting attacks, the FBI also listed several measures to prevent becoming a victim and the following
steps to mitigate any harm and report the incident:
• Access your accounts: Attempt to access your online accounts as soon as possible from a secure location or connection and change your password. Email accounts are normally targeted first.
• Call your bank: Call your financial institutions to place an alert on your accounts for suspicious login attempts.
• Look for unusual activity: Once online accounts have been re-established, view your recent activity to check for any unusual activity. Check for unknown devices associated with the account. Save any indicators of suspicious activity so you can report them to law enforcement.
• Call your mobile service provider: Report the incident to a physical location for your mobile service provider after your online accounts have been remediated. Attempt to ascertain when the SIM was ported to a new phone and gather the SIM card number and IMEI from the mobile provider. Save any bad actor SIM and mobile phone information to report to law enforcement.
• Call law enforcement: Report the incident to the FBI or your local police department.
Potential victims or anyone observing activity related to SIM swapping attacks can report it to the FBI at tips.fbi.gov or by calling 415-553-7400.
source
