Contact

News

SIM swapping 2.0

SIM swappers, cybercriminals who try to take over victims' mobile phone numbers, have further developed their methods. The SIM swappers have come up with a way to take over/move the phone number to a new eSIM card.

eSIMs

eSIMs, or Embedded Subscriber Identity Modules, are digital SIM cards stored on a rewritable chip in the mayority of recent smartphone models, allowing them to be reprogrammed, and activated or deactivated remotely.

Unlike physical SIM cards, it is easy for users to add an eSIM to a compatible device by scanning a QR code provided by their service provider. This technology is gaining popularity because it eliminates the need for a SIM card slot and enables mobile connectivity on small portable devices, for example the eSIM in smartwatches.

SIM swappers worldwide use these eSIMs to hijack phone numbers and bypass protection measures to access bank accounts (among other things).

Then and now

Previously, SIM swappers relied on social engineering [1] or collaboration with insiders [2] at mobile carriers. However, as companies implemented more protection systems, cybercriminals turned to new technologies.

Attackers now access a user's account with the telecom provider using stolen, brute-force, or leaked credentials, and initiate porting the number to another device. They do this by generating a QR code via the hijacked mobile account, which is then used to activate a new eSIM, effectively hijacking the number. At the same time, the eSIM/SIM of the legitimate owner is deactivated.

By gaining access to the victim's mobile phone number, cybercriminals can obtain access codes and two-factor authentication for various services, including codes from banks and messaging services.

An added benefit for the attackers is that by transferring the number to their device, they can access accounts in various messaging apps linked to the SIM number, giving them more opportunities to defraud others, such as posing as the victim and persuade them to transfer money.

What can you do to defend yourself against eSIM swapping?

  1. Enable 2FA (Two-factor authentication) as much as possible. For valuable accounts such as your bank and/or cryptocurrency wallets, use a 2FA method that uses a physical key or a dedicated authenticator app such as Google Authenticator.
  2. Use unique and complex passwords for your account with your telecommunications provider. Be especially careful not to use this password on other websites or services. Do you find it difficult to generate or remember many unique passwords? Use a password manager! This initially takes some time and energy to arrange, but in the end it will be rewarding and offers higher protection.

Are you unsure whether your data is involved in data breaches?

On the website https://haveibeenpwned.com you can check whether your email address(es) or telephone number(s) appear in many of the known data breaches. If your data is involved in a data breach, your login details (such as your username and/or password) will circulate somewhere on the internet. A positive hit within haveibeenpwned always states which data is involved in the data breach.

[1] Social engineering is the manipulation of people to obtain confidential information or induce them to take certain actions.

[2] https://www.justice.gov/usao-nj/pr/former-telecommunications-company-manager-admits-role-sim-swapping-scheme

 

If you want to learn more about these types of fraud methods, follow one of our cybercrime training courses .