In honor of my Caught Dead in Wyoming mystery series, my assistant Kay Coyte is writing for my newsletter and blog a series of consumer tips inspired by TV reporter Elizabeth Danniher.
We live on our cell phones these days, with text messaging, photo snapping, bill paying, grocery shopping, video playing and more. (In Hot Roll, for example, the dependence on phones is critical to the investigation Elizabeth and friends undertake after the death of Jennifer’s friend.) So any scams involving your phone raise big red flags. A recent VICE investigation alerted me to the issue of SIM card swapping (aka SIM splitting or simjacking), an account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message or call placed to a mobile telephone. SIM, by the way, is an acronym for subscriber identity module.
The fraud exploits those occasions when your phone is lost or stolen or you’re switching service to a new phone. But it begins when the criminal gets your personal details, either by use of phishing emails, by buying them from underground sources or from your social media. Tip: As tech whiz Jennifer suggests in Look Live, lie! There’s no law saying your Facebook profile has to be accurate.
After the criminals get your personal data, they convince your mobile telephone provider to port your phone number to whatever phone the new SIM card is in. In some cases, SIM numbers are changed directly by telecom company employees bribed by criminals.
Now your phone is cut off from the network, and the criminal will receive all your texts and voice calls. This includes any one-time codes or passwords sent via text or voice, thwarting security features of bank accounts, retailers, credit card companies, etc. In a matter of minutes, your cash could be cleaned out.
A Princeton study released in January found that Verizon, AT&T, T-Mobile, Tracfone and US Mobile all were found to be using vulnerable procedures with their customer support centers, procedures that attackers could use to conduct SIM swapping attacks. At about the same time, VICE reported that hackers are breaking into telecom companies, including AT&T, Sprint and T-Mobile, to do the SIM swapping themselves.
The Federal Trade Commission, which first reported on this scam in October 2019, offered advice on how to protect yourself from a SIM swap attack:
– Don’t reply to calls, emails or text messages that request personal information. These could be phishing attempts to get personal information to access your cell phone, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
– Limit the personal information you share online. (Google yourself to get an idea of just what’s out there). Avoid posting your full name, address, or phone number on public sites.
– Set up a PIN or password on your cell phone account. — Use stronger authentication on accounts with sensitive personal or financial information. Consider using an authentication app or a security key.
– Check your credit card, bank, and other financial accounts regularly for unauthorized charges or changes. Report any suspicious activity to the company or institution.
For an overview of SIM scams, including details on how to contact specific mobile phone providers, check out online tech magazine CNet’s March 30 report by Jason Cipriani.