Man
Professional
- Messages
- 3,218
- Reaction score
- 783
- Points
- 113
SIM swapping (or SIM jacking, SIM hijacking) is a social engineering technique in which an attacker gains control over a victim's phone number by redirecting it to a SIM card in their possession. This allows them to receive SMS, calls, and data, including two-factor authentication (2FA) codes, which gives them access to the victim's accounts (social networks, banks, crypto wallets, etc.).
Sources of information:
Example scenario:
How does SIM swapping work?
1. Collecting information about the victim
The attacker collects the victim's personal data, which is necessary to confirm the identity to the telecom operator:- Name, surname, date of birth.
- Registration address.
- Passport number or Taxpayer Identification Number (TIN).
- Mother/father's name (often used as a security question).
- Data on previous interactions with the operator (for example, history of SIM card replacement).
Sources of information:
- Social networks (Instagram, Facebook, LinkedIn).
- Data leaks (via darknet databases).
- Phishing attacks (e.g. fake forms to collect data).
2. Contacting your telecom operator
The attacker contacts the victim's mobile operator, posing as the victim. To be convincing, he may:- Use fake documents (for example, a scan of the victim’s passport).
- Sound confident when referring to "lost SIM card" or "phone malfunction."
- Use geolocation (for example, call from a number registered in the victim's region).
Example scenario:
- The attacker calls the operator's support service and says:
"I lost my phone, I urgently need a new SIM card. Can I get it at the office today?" - The operator asks for proof of identity (for example, mother's name). The attacker provides previously collected data.
- The operator blocks the old SIM card and activates a new one in the name of the victim, but at the disposal of the attacker.
3. Data interception
After activating a new SIM card:- All calls and SMS from the victim begin to arrive on the attacker’s device.
- He can reset passwords of the victim's accounts using the SMS recovery feature.
- For example, if the victim uses SMS codes for 2FA, the attacker gains access to their bank account or crypto wallet.
Attack Example: How SIM Swapping Led to Cryptocurrency Theft
- The attacker finds a user on social networks who owns bitcoins.
- It collects his data through a phishing campaign (for example, a fake bank website).
- Calls the operator and intercepts the victim's SIM card.
- Resets passwords from cryptocurrency exchanges (for example, Binance) via SMS codes and withdraws funds to your wallet.
Why is SIM swapping dangerous?
- Access to critical accounts:
- Bank accounts (via SMS confirmation).
- Crypto wallets (eg Coinbase, Binance).
- Social networks (for further attacks on the victim's friends).
- Loss of control over number:
The victim is left without communication until they restore the SIM card through the operator. - Difficulty in proving guilt:
Operators often do not admit their responsibility, and the victim must prove that they were the target of an attack.
How to protect yourself from SIM swapping?
1. Ditch SMS codes in favor of more secure 2FA methods
- Use hardware tokens (e.g. YubiKey) or authenticator apps (Google Authenticator, Authy, Microsoft Authenticator).
- Set up a secure key with Google and Apple to sign in to your account.
2. Add carrier protection
- Set a PIN or password to access your account with your operator.
- Turn on notifications for any changes to your account (for example, changing your SIM card).
3. Limit access to personal data
- Do not publish in the public domain:
- Date of birth.
- Registration address.
- Mother/Father's name.
- Use a private profile on social networks.
4. Check active sessions regularly
- In your accounts (mail, social networks, banks), check the list of active devices and log out of suspicious sessions.
5. Use virtual numbers
- To register with services, use virtual numbers (for example, through services like Google Voice or TextNow).
Legal implications
SIM swapping is considered a crime in most countries:- USA: Violation of the Computer Fraud and Abuse Act (up to 10 years in prison).
- Russia: Article 162 of the Criminal Code of the Russian Federation (theft or extortion of funds through SIM swapping).
- EU: GDPR violation (unauthorized access to personal data).
Educational Resources
If you want to learn about protection against SIM swapping and other attacks:- Books: "Hacking Exposed 7" ( McGraw-Hill), "The Art of Invisibility" (Kevin Mitnick).
- Platforms: TryHackMe (social engineering courses), OWASP.
- Certifications: CEH (Certified Ethical Hacker), CISSP (Certified Information Systems Security Professional).