Hello everyone and welcome to ZD Tech, ZDNet’s daily editorial podcast. My name is Louis Adam and today I will explain to you why so-called “SIM Swapping” attacks are so dangerous.
“SIM Swapping”, or “exchange of SIM cards” in French, is the name given to a type of attack that has proven to be terribly effective in recent years. This technique has been used both to hack anonymous people and empty their bank accounts as well as to connect to the account of the boss of Twitter and publish racist messages.
The heart of SIM Swapping is to succeed in recovering a SIM card assigned to a subscriber by an operator. And to achieve this, all means are good: one can for example call the after-sales service of the operator and pretend to be the victim in order to request the sending of a new SIM card.
Attackers who launch a SIM card replacement procedure themselves
Of course, there are some checks: the service department asks for certain information before approving the shipment, but by collecting information on the target, through an open source search or via upstream phishing, we can quite easily circumvent these protections.
And if the soft way doesn’t work, attackers have other options. In the United States, we have seen telephone operators have their accounts and computers used by their after-sales service hacked. The objective: to allow attackers to initiate a SIM card replacement procedure themselves. In some cases, employees of telephone operators have even been directly corrupted by cybercriminals in order to trigger this type of procedure.
For the victim, it is difficult to deal with this type of hacking. When the attacker activates the new SIM, she loses access to the internet and the mobile network on her phone. And generally, it loses in the wake of access to its main online accounts – e-mail, social networks – these being quickly reset by the hacker who wishes to take control of them.
The ball is in the court of the operators more than the subscribers
The only solution to solve the problem: contact your operator, report the attack and ask to have the new SIM card obtained by the pirates blocked.
Unfortunately, this can take a little time.
To protect against SIM swapping, the ball is in the court of the operators more than the subscribers.
It is indeed up to the operators to put in place robust identity verification measures before activating new SIM cards. In France, operators promise that this type of attack remains marginal for the moment. For a victim, the best protection remains the use of a physical security key for multi-factor authentication rather than SMS-based authentication.