You may have heard that using text messages as a second factor or 2FA code to protect your logins is less secure than other forms like apps or keys. You may even know this is because of something called SIM Swapping. Are there any legitimate uses/functions to swapping/cloning?
Featuring Tom Merritt.
Please SUBSCRIBE HERE.
A special thanks to all our supporters–without you, none of this would be possible.
Thanks to Kevin MacLeod of Incompetech.com for the theme music.
Thanks to Garrett Weinzierl for the logo!
Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit
Send us email to [email protected]
Episode transcript:
You pick up your phone and there’s no service. You’re not getting text messages. And shortly you notice somebody is posting on your Facebook account. And you can’t log in anymore.
You’ve been SIM swapped.
You may have heard that using text messages as a second factor or 2FA code to protect your logins is less secure than other forms like apps or keys.
You may even know this is because of something called SIM Swapping.
But I bet a lot of you have the same question Mike has. Mike emailed Daily Tech News Show and asked “I hear y’all talk about how 2FA via SMS (text messages) is bad because of SIM Swapping. …but what *is* SIM Swapping. It sounds like if my SIM was swapped then my phone would stop working – I wouldn’t be getting my messages or be able to make phone calls. Would ‘SIM Cloning’ be a better term? Why is SIM swapping/cloning even allowed by the carriers? Are there any legitimate uses/functions to swapping/cloning?”
You understand more than you know Mike.
Let’s help you know a little more about SIM swapping.
The only legitimate SIM swapping would be if you pull out a SIM card from your phone and put in a new one yourself. The SIM in SIM card stands for Subscriber Identity Module. It’s a way of identifying what account is associated with the phone. Since the 1990s it’s existed as various sizes of little plastic cards with a chip on one end. You insert it in a SIM slot in your phone and the phone uses that information to identify you on the network. That way your phone gets calls and text messages meant for your number. And the data service you pay for is delivered.
Why is this helpful? Well if a phone is locked to a certain provider it’s not. The cell phone provider will only let you use the SIM it wants you to.
However if your phone is unlocked, you can put whatever SIM in it you want. As long as that SIM is authorized on the network, the phone will use it to get your calls and texts. So if you pull your T-Mobile SIM out of an unlocked iPhone and put it in an unlocked Samsung Galaxy S23, the S23 will get calls and texts that you used to get on the iPhone. And you can put it back in the iPhone and carry on as well.
Some phones even have dual SIM slots so you can switch between two providers without having to remove the SIM cards. Handy for people who travel between regions with different providers.
But none of this is what people mean when they say SIM swapping.
Sim Swapping is generally used to apply to malicious activity. You may hear it called simjacking, or SIM splitting. But it’s essentially the idea of an attacker getting the phone carrier to swap your account to a new SIM card that the attacker owns.
You may have done a legitimate form of this kind of SIM swap when you activated a new phone. Unless you moved the SIM card from your old phone to a new phone, you probably went through some kind of process, whether in a store, over the phone or even just over the internet- to tell the carrier that the SIM card in the new phone should be associated with your account not the one in the old phone. You may not have realized that’s what you were doing, but as soon as your phone number started working on the new phone, the SIM had been swapped. Your new SIM card was swapped into the database in place of the old one. The old phone no longer works with your number.
Malicious SIM swapping does this without your approval.
To do it they have to make a phone call. Because when you set up a new phone, you usually have the old phone nearby as you switch. A malicious actor wants to change the SIM card on your account without your knowledge.
Going into a store could work but it’s a little riskier since they have to show their face. So most SIM swapping is done with a call.
On the call the carrier will ask them things about you. To prepare for the call the attacker will collect as much personal info about you as possible. Usually a phishing attack is used on the target. They might send an email that appears to be from your phone company asking you to confirm account info, possibly by logging in. Any link in that email would be to a site they control that can capture your info when you log in. That’s just one example. But it’s a major reason why you should not trust every link in an email and never email person info.
It’s not the only method though. An attacker might be able to find the personal info they need for sale. If your info was available in a data breach they may be able to get what they need without phishing you.
Whatever method they use they’re trying to gather as much info as they can, birthday, passwords, account numbers, street you grew up on, whatever they can. They’ll need it for the next step.
Once they have the info they call the phone company and say they need to move their account to a new SIM card. This is not itself a suspicious request. People legitimately do it all the time. Maybe they lost their SIM card somehow while swapping it between phones. Maybe they bought a used phone. These aren’t super common reasons but they’re common enough — that carriers need to be able to support them– when legitimate.
So the carriers try to ask you questions only you would know the answer to in order to verify your identity. They could just push a message to your existing phone right? But what if that’s why you’re swapping the SIM. Maybe the phone and the old SIM card are damaged.
Whatever the case, the attacker will pretend they’re a legitimate users who can’t use any of those methods. But they will use what info they collected about you to answer the questions carriers throw at them to convince them they are you. If they have enough info they may be able to answer all of them. And if they do, they can successfully get the carrier to transfer the account to the SIM they have. Once they do that they can put that SIM in a phone they have and get access to your calls and text messages.
And once they have that access they can try logging into your accounts. If they have your passwords and the account is protected by text message codes, they’ll get the codes and be able to get into your accounts. They can also use the phone number for voice or text account recovery on many accounts, to take control that way.
It’s possible for the attackers to add a device instead of replace yours, but they’re likely to get caught faster as you’ll see all the text message codes too. So more often than not they will replace your device. Your device will suddenly stop working. Most people will assume it’s a bug or a glitch. But even if you assume it’s a SIM swap you’ll have to visit the carrier in person and convince them of that. And even in a small amount of time the attackers can gain a lot of access.
You may wonder why carriers don’t do more to stop Sim Swaps. The problem is that most people really aren’t targets and the carriers calculate, reasonably, they would inconvenience a large amount of people for no reason.
The FCC is drafting rules to prevent SIM swapping in the US. And some carriers now require SMS verification or verification by two employees that you are who you say you are before a SIM is transferred.
Most carriers do offer preventative measures you can choose to enact to help prevent SIM swaps.
You can lock your phone number to a SIM. This can be called Port Freeze or Number Lock. Port freeze because you can’t port a number to a new phone. Number lock because the number is locked to a SIM card. It means you cannot move your number to another SIM card. You can melt the freeze or unlock the number with either PIN or by visiting a store and showing ID.
Most carriers let you sign up for alerts to send you anytime a phone number or SIM card is changed. You should turn those on.
Beyond that you should do the things you would usually do to protect your personal info.
Don’t click on links from people you don’t know. Don’t offer personal info over email unless you are VERY certain of who you’re sending it to. Phone carriers and banks will never ask for sensitive info over email. Protect your account with authentication apps or security keys. If you protect your account wit a second factor over text message, well it won’t protect you from SIM swapping. But if you’re using an authenticator app– and not text messaging too- just the authenticator app, then SIM swapping won’t allow an attacker to get into that account.
So yes Michael SIM swapping does shut your phone off but that’s not protection against the SIM swapping. These attackers can work fast.
Hope that answers your question. In other words, I hope you Know a little More about SIM swapping.