How SIM Swapping Works

[Man]

SIM swapping (or SIM jacking, SIM hijacking) is a social engineering technique in which an attacker gains control over a victim's phone number by redirecting it to a SIM card in their possession. This allows them to receive SMS, calls, and data, including two-factor authentication (2FA) codes, which gives them access to the victim's accounts (social networks, banks, crypto wallets, etc.).

How does SIM swapping work?​

1. Collecting information about the victim​

The attacker collects the victim's personal data, which is necessary to confirm the identity to the telecom operator:

• Name, surname, date of birth.
• Registration address.
• Passport number or Taxpayer Identification Number (TIN).
• Mother/father's name (often used as a security question).
• Data on previous interactions with the operator (for example, history of SIM card replacement).

Sources of information:

• Social networks (Instagram, Facebook, LinkedIn).
• Data leaks (via darknet databases).
• Phishing attacks (e.g. fake forms to collect data).

2. Contacting your telecom operator​

The attacker contacts the victim's mobile operator, posing as the victim. To be convincing, he may:

• Use fake documents (for example, a scan of the victim’s passport).
• Sound confident when referring to "lost SIM card" or "phone malfunction."
• Use geolocation (for example, call from a number registered in the victim's region).

Example scenario:

1. The attacker calls the operator's support service and says:
   "I lost my phone, I urgently need a new SIM card. Can I get it at the office today?"
2. The operator asks for proof of identity (for example, mother's name). The attacker provides previously collected data.
3. The operator blocks the old SIM card and activates a new one in the name of the victim, but at the disposal of the attacker.

3. Data interception​

After activating a new SIM card:

• All calls and SMS from the victim begin to arrive on the attacker’s device.
• He can reset passwords of the victim's accounts using the SMS recovery feature.
• For example, if the victim uses SMS codes for 2FA, the attacker gains access to their bank account or crypto wallet.

Attack Example: How SIM Swapping Led to Cryptocurrency Theft​

1. The attacker finds a user on social networks who owns bitcoins.
2. It collects his data through a phishing campaign (for example, a fake bank website).
3. Calls the operator and intercepts the victim's SIM card.
4. Resets passwords from cryptocurrency exchanges (for example, Binance) via SMS codes and withdraws funds to your wallet.

Why is SIM swapping dangerous?​

1. Access to critical accounts:
   • Bank accounts (via SMS confirmation).
   • Crypto wallets (eg Coinbase, Binance).
   • Social networks (for further attacks on the victim's friends).
2. Loss of control over number:
   The victim is left without communication until they restore the SIM card through the operator.
3. Difficulty in proving guilt:
   Operators often do not admit their responsibility, and the victim must prove that they were the target of an attack.

How to protect yourself from SIM swapping?​

1. Ditch SMS codes in favor of more secure 2FA methods​

• Use hardware tokens (e.g. YubiKey) or authenticator apps (Google Authenticator, Authy, Microsoft Authenticator).
• Set up a secure key with Google and Apple to sign in to your account.

2. Add carrier protection​

• Set a PIN or password to access your account with your operator.
• Turn on notifications for any changes to your account (for example, changing your SIM card).

3. Limit access to personal data​

• Do not publish in the public domain:
  • Date of birth.
  • Registration address.
  • Mother/Father's name.
• Use a private profile on social networks.

4. Check active sessions regularly​

• In your accounts (mail, social networks, banks), check the list of active devices and log out of suspicious sessions.

5. Use virtual numbers​

• To register with services, use virtual numbers (for example, through services like Google Voice or TextNow).

Legal implications​

SIM swapping is considered a crime in most countries:

• USA: Violation of the Computer Fraud and Abuse Act (up to 10 years in prison).
• Russia: Article 162 of the Criminal Code of the Russian Federation (theft or extortion of funds through SIM swapping).
• EU: GDPR violation (unauthorized access to personal data).

Educational Resources​

If you want to learn about protection against SIM swapping and other attacks:

• Books: "Hacking Exposed 7" ( McGraw-Hill), "The Art of Invisibility" (Kevin Mitnick).
• Platforms: TryHackMe (social engineering courses), OWASP.
• Certifications: CEH (Certified Ethical Hacker), CISSP (Certified Information Systems Security Professional).

Summary​

SIM swapping is a dangerous attack that exploits weaknesses in the identity verification system. Never use SMS codes as the only method of protection. Instead, use hardware tokens, restrict access to personal data, and work with your carrier to improve security. If you are interested in practical examples or code for training in protection, let me know!

 

[Jollier]

SIM Swapping: How It Works and How to Protect Yourself​

SIM swapping (SIM swap fraud) is a type of fraud in which an attacker transfers the victim's number to their SIM card, gaining control over SMS, calls, and two-factor authentication (2FA).

How does SIM swapping work?​

1. Collecting information about the victim​

Fraudsters are looking for data:

• Phone number (via social networks, database leaks).
• Full name, date of birth (from leaked data or phishing).
• Operator data (e.g. through social engineering or leaks).

2. Social engineering (deceiving the operator)​

The attacker calls the mobile operator's support service (or comes to the store) and introduces himself as the owner of the number, claiming that:

• "Lost my phone" and need a new SIM card.
• "SIM card is damaged" and needs to be replaced.

Sometimes they use fake documents or leaked data for verification.

3. Activating a new SIM card​

If the operator confirms the “identity” of the fraudster:

• The victim's old SIM card is blocked.
• The number is linked to the attacker’s new SIM card.

4. SMS interception, 2FA and account login​

Now the fraudster can:

• Receive SMS codes to log into banks, social networks, crypto wallets.
• Change passwords via "SMS recovery".
• Conduct transactions on behalf of the victim.

Examples of attacks​

• Hacking a bank account – if SMS banking is linked.
• Cryptocurrency theft - if the exchange uses SMS-2FA.
• Hacking social networks (Telegram, Instagram) - if recovery via SMS is enabled.

How to protect yourself?​

1. Use alternative 2FA methods​

• Google Authenticator / Authy (TOTP codes).
• Hardware keys (YubiKey).
• Biometrics (Face ID, Touch ID).

2. Set a PIN code for the SIM card​

This will prevent reissue without entering the PIN.

3. Enable additional protection with your operator​

• Ask to set a code word for SIM replacement.
• Disable remote reissue.

4. Don't publish your number in open sources​

• Avoid posting your number on social media.
• Use virtual numbers for registrations.

5. Monitor for suspicious activity​

• If your phone suddenly loses network connection, call your operator immediately.
• Check for SIM reissue notifications.

Legality and consequences​

SIM swapping is a criminal offense (fraud, hacking). In the US, EU and Russia, such attacks are punishable by fines and prison.

Be careful and minimize your dependence on SMS authentication!

 

[Professor]

What is SIM swapping?​

SIM swapping (or SIM substitution) is a type of fraud in which criminals gain control of a victim’s phone number by reassigning it to a new SIM card in their possession. This allows them to intercept calls, text messages, and most importantly, one-time verification codes (OTPs), which are often used for two-factor authentication (2FA).

How does SIM swapping work?​

1. Gathering information about the victim: Fraudsters use phishing, data leaks or buying information on the dark web to obtain personal information of the victim, such as name, address, phone number and even passport details.
2. Carrier fraud: Fraudsters contact the mobile operator, posing as the owner of the number. They may claim that the SIM card has been lost or damaged and ask to activate a new SIM card. They use stolen data or forged documents to verify identity.
3. Gaining control over the number: Once the new SIM card is activated, the scammers gain full access to the victim's phone number. This allows them to:
   • Intercept SMS with confirmation codes.
   • Access bank accounts, cryptocurrency wallets and other accounts associated with a phone number.

Examples of SIM Swapping Attacks​

• $400 Million FTX Theft: In 2022, a group of scammers used SIM swapping to steal cryptocurrency from the FTX exchange. They forged the victim's documents, obtained a duplicate SIM card, and intercepted the confirmation codes for the withdrawal.
• SEC Twitter Account Hack: In 2024, scammers gained access to the SEC Twitter account via SIM swapping, allowing them to post false information that caused the price of Bitcoin to spike.

How to protect yourself from SIM swapping?​

1. Avoid using SMS for 2FA: Use authenticator apps (like Google Authenticator) or hardware security keys (like YubiKey) instead.
2. Set a PIN on your SIM card: Many operators allow you to set an additional PIN to protect against unauthorized changes.
3. Limit access to personal information: Do not post your contact information, such as your phone number or address, online.
4. Use complex passwords and password managers: This will make it difficult for someone to access your accounts even if your phone number is compromised.
5. Set up account login notifications: This will help you quickly spot suspicious activity.

What to do if you are a victim of SIM swapping?​

• Contact your carrier immediately to regain control of your number.
• Change the passwords for all accounts associated with the phone number.
• Check bank and other financial accounts for unauthorized transactions.
• Report the fraud to the police and your service provider.

SIM swapping is a serious threat, but taking precautions can greatly reduce your risk of becoming a victim.