By BECKY RUTHERFORD
Your cell phone rings, someone claiming to be from Verizon account services is on the other end of the line. They are calling to let you know that your account service is going to be discontinued or suspended unless you can update your information – right now.
They might request your PIN, the code that secures your account from unauthorized changes. What should you do? Hang up, and immediately block the number. If they call back from a different number, block that, too. This is likely the first step in an elaborate and painful scam known as SIM swapping.
What is a SIM card swap, and how does it work? First of all, SIM stands for “subscriber identity module”. A SIM card is an integrated circuit that securely stores information about your device and a related key, which is used to identify and authenticate the user. If an attacker can get your mobile phone company to switch this number to a new device, you are going to have a terrible time.
When you switch your cell phone service to a new provider, you can “port-out” your old number to the new device by transferring the SIM. The ability to “port-out” is convenient for us, but also for the cybercriminals.
If an attacker can use a social engineering technique (calling to tell you service will be disrupted) to scare you out of your PIN, they can immediately use that information to call your cell phone provider. They will tell your provider they are you and that they need to switch services to a new cell phone, and they will use the stolen PIN to get this done.
You may not know this has happened until you lose cell phone service, or you might get a text saying your phone number has been added to a different device with the same carrier. In some cases, they may socially engineer your cell phone provider, and say they forgot their PIN, and convince them to change service.
So your phone is suddenly dead, what can you expect next? They will use this access to try to compromise everything they can – emails, bank accounts, social media, etc.
An interesting example of this attack, and the aftermath, can be found here: https://www.zdnet.com/article/how-i-survived-a-SIM-swap-attack-and-how-my-carrier-failed-me/, The victim, was Matthew Miller, a tech writer for ZDNet, specializing in mobile devices. In this case, the hackers were able to take over his Google and Twitter accounts. They then got access to his bank, and charged $25,000 for a Bitcoin purchase. He found out about this when he received a text message reading “T-Mobile alert: The SIM card for xxx-xxx-xxxx has been changed. If this change is not authorized, call 611”. He had to deal with a nightmarish situation as he tried to regain control of his accounts, his phone, and get back the money stolen from his bank.
So how can you protect yourself from a SIM swap? The first line of defense; be aware of scam calls. If you get an unsolicited call claiming to be from your cell phone carrier, requesting any personal information, it is likely a scam. If they tell you that it is urgent and you will have your service “suspended”, they are using fear to socially engineer you. Do not buy into the fear. Hang up. Call your cell phone provider back at their confirmed customer service number. Your account is likely okay. Block the number. Scammers are quick to rotate through numbers; if you keep getting calls, ignore and block.
Information about scam calls can be found here: https://www.usa.gov/common-scams-frauds
I ignore calls from unknown numbers. If it is important, they can leave me a message. If it is not a message about my “expiring car warranty”, I might even call them back if it seems legit. Unless I am just too busy watching cat videos.
The second line of defense, talk to your cell phone carrier. Do you have a PIN on your account? Is it a complicated and hard to figure out PIN? In some cases, carriers only allow four-digit PINs, which is less than ideal. I highly recommend looking into getting a “port freeze” if you are concerned about SIM swapping. A port freeze is when you call your carrier and ask that they not allow you to switch your SIM or number to another phone or carrier.
Some carriers might require you to go into a store in person with an ID to reverse the port freeze. Given the sheer amount of pain that a SIM swap can cause, I think this could be worthwhile. In some cases, SIM swaps have happened because attackers have socially engineered the cell phone carrier into swapping it, without even providing a PIN. At the very least, make sure that you do have a PIN or some other restrictions on your account to prevent porting of your SIM card to a new device.
Bottom line; unsolicited phone calls about your cell phone service (or anything else really) being canceled, requesting your information, are likely scams. Hang up the phone, and make a scammer’s life just a bit harder.
If you have a scam you would like featured, email cyberbeckyLA@gmail.com and I’ll write an article about it.
Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.