SIM hijacking fraud, also known as SIM splitting, port-out scam, SIM swapping or simjacking, is a sophisticated form of identity theft that exploits vulnerabilities in mobile service provider protocols. This attack allows criminals to fraudulently transfer a victim’s phone number to a SIM card under their control.
While it may seem like a simple loss of coverage, the consequences can be devastating: access to personal information, theft of bank accounts or cryptocurrency wallets, and in some cases, irreparable damage to the victim’s reputation.
What is a SIM?
A SIM (Subscriber Identity Module) is a module that stores essential information for mobile communications, such as a phone number and operator authentication data. Traditionally, SIMs are small physical chips that are inserted into mobile devices.
Today, however, there are eSIMs, a digital version built directly into the hardware of modern devices. Both types of SIMs are essential for connecting devices to telephony networks, acting as a bridge between the user’s digital and physical identities.
How does SIM hijacking fraud work?
The SIM hijacking fraud starts with the collection of the victim’s personal information, obtained through social networks, security breaches, phishing emails or social engineering. With this data, the attackers communicate with the victim’s mobile operator, impersonating them and requesting that the phone number be transferred to a new SIM under their control, claiming a lost device or card. Once the transfer is made, the criminals can intercept calls, messages and two-factor authentication (2FA) codes, giving them access to the victim’s accounts.
With this access, they can reset passwords for email, social networks, and financial services; steal funds from bank accounts and cryptocurrency wallets; extort money from the victim; or sell the compromised accounts on illegal markets. They can also damage the victim’s reputation by posting offensive messages on social networks, as in the case of Jack Dorsey, which we will see below.
How to spot a SIM hijacking fraud attack?
Detecting SIM hijacking fraud can be difficult, but there are clear signs that should immediately alert you:
- Sudden loss of mobile coverage: If your phone stops working for no apparent reason, such as losing signal or the ability to make calls, it may be a sign that your SIM has been deactivated or compromised.
- Suspicious notifications: Watch for alerts or emails about password reset attempts or unrecognized logins to your accounts.
- Inability to make calls or send messages: If you are suddenly unable to communicate, your number may have been transferred to another SIM under the attackers’ control.
- Strange social networking posts: If you notice unusual posts or strange messages from your social networking account, criminals may have already taken control.
- Account lockout: Difficulty accessing your email, social media, or online banking services could be a sign that your accounts have been compromised.
- Unauthorized financial transactions: Strange or unauthorized activity in your bank accounts or cryptocurrency wallets is a sign that your financial information may be at risk.
What to do if you are a victim of a SIM hijacking fraud
If you suspect you are a victim of this type of fraud, take immediate action by following these steps:
- Contact your mobile operator: Report the problem, ask them to block the compromised SIM, and ask for a new card. Also, ask for details on how the transfer was made to identify possible operator negligence.
- Protect your financial accounts: Notify your bank or digital platform, freeze affected accounts, and reverse suspicious transactions. In the case of cryptocurrencies, report the incident to the exchange platform and record transaction details to try to trace the assets, although recovery is unlikely.
- Update passwords and authentication methods: Change the passwords on all your accounts and disable SMS-based authentication and replace it with a more secure authentication application.
- File a lawsuit: Consider filing a complaint with the appropriate authorities, such as the cyber police, and filing a lawsuit against the mobile service provider if their security protocols are found to be negligent. While this recourse often does not result in direct recovery of lost assets, it can set legal precedents that may lead to security improvements or even compensation in some cases.
- Track your accounts: Monitor for suspicious activity across all your digital platforms.
Social networking sites are an important resource for criminals. The personal information you share on these platforms, such as dates of birth, names of family members or pets, and places of work, can be used to impersonate you. In addition, social engineering, which involves emotionally manipulating employees of mobile service providers, is a key tool in this type of fraud.
Jack Dorsey case: An example of a SIM hijacking fraud
This incident occurred in 2019, when Jack Dorsey, co-founder and former CEO of Twitter, fell victim to SIM hijacking fraud. The attackers used the text-to-tweet feature to post offensive messages from his account.
This case demonstrated that even public figures with high levels of security expertise can be vulnerable when criminals exploit weaknesses in mobile authentication systems.
How to protect yourself from SIM hijacking fraud
Taking preventative measures is the best defense against this type of attack. Here are some key recommendations:
- Limit the information you share on social networking sites: Avoid posting data such as your phone number or other personal information that could be used to impersonate you.
- Use application or hardware-based authentication: Replace SMS codes with more secure methods, such as physical authentication keys (U2F or FIDO2) or authentication applications that generate temporary codes.
- Use biometric authentication: If your device allows, enable fingerprint authentication, facial recognition, or iris scanning to add an extra layer of security to access your accounts.
Other important precautions
- Set a PIN for your SIM: Change the default PIN for your SIM card in your phone’s settings. Also, if your operator allows it, enable a number transfer PIN, which makes it harder for attackers to make unauthorized changes.
- Strengthen security with your mobile operator: Ask to set up unique passwords and security questions to access your mobile account. Some carriers also offer real-time alerts for attempted changes to your account or phone number.
- Use a password manager: A password manager tool generates and stores strong passwords for your accounts, minimizing the possibility of compromise due to weak or repeated passwords.
- Link sensitive accounts to more secure methods: Whenever possible, avoid using your phone number to authenticate critical accounts, such as banking services or social networks. Instead, use authentication applications or physical keys.
- Enable security notifications: Set up automatic alerts to detect suspicious activity on your banking, email, and other digital services.
Physical authentication keys: the most advanced solution
Physical authentication keys, based on standards such as U2F (Universal 2nd Factor) or FIDO2, are one of the most secure tools available against SIM hijacking fraud.
What are they and how do they work?
These keys, such as YubiKey or Titan Security Key,, require physical presence to authenticate access to your accounts. This eliminates the risk associated with SMS-based authentication because attackers cannot replicate or transfer the physical key.
Benefits of authentication keys:
- Compatibility with multiple platforms, including Google, Microsoft, and Facebook.
- Immunity to remote attacks or spoofing attempts.
- Greater ease of use and speed compared to traditional authentication methods.
Physical authentication keys are the most robust standard against digital fraud. Implementing them on your most important accounts is a fundamental measure to protect against threats such as SIM hijacking fraud.
Conclusion
SIM hijacking fraud is a growing threat that affects both ordinary individuals and public figures. Taking proactive measures, such as implementing advanced authentication standards, and staying vigilant can significantly reduce the risk of falling victim to this sophisticated type of attack.
Resources:
[1] Immunebytes – How to protect yourself against a sim swap fraud
[2] Kaspersky – ¿Qué es el intercambio de SIM?
At Block&Capital, we strive to create an environment where growth and success are accessible to all. If you’re ready to take your career to the next level, we encourage you to join us.
Last posts