Just how easy is it to conduct a SIM swap attack and what can the attacker do once they have taken control of your phone number? In short, it’s worryingly easy and the criminals can do a lot once they have the keys to the kingdom.
We hear of SIM swapping – also known as SIM hijacking and SIM swap scams – all the time, and yet many people think it can’t ever happen to them. Indeed, people often tell me that they will never get hacked in any way and they actually even wonder why anyone would even target them. But the truth is that we are part of a huge numbers game for many malicious actors and they will continue to target the low-hanging fruit. So why don’t we just implement a few precautionary methods to reduce this risk?
I will come back to what you can do to mitigate the risks later, but first I want to tell you how I tested a SIM swap attack just so I could generate a talk and help people understand the risks. A real-life story is always better when helping people to be more cyber-aware. In fact, I ran a similar experiment last year when I showed how easy it is to hack anyone’s WhatsApp account by knowing their phone number. It was a very valuable lesson for the colleague-turned-victim.
I have known my friend – a let’s call him Paul – since school and we’ve been close friends ever since. I asked him recently if I could attempt to ethically hack him for the greater good and use anything that came from it in the name of cyber-awareness and helping protect people from future attacks. He was happy to oblige and even thought it would be fun to be part of an experiment.
How SIM swapping works
All I needed to conduct the test was Paul’s real name and phone number. Paul owns a real estate agency that sells luxury properties in one of the most expensive locations in the UK. Much like for many other people, his contact details could be found on his website, plus with some good old-fashioned internet research (or open-source intelligence, aka OSINT) I was able to find a whole lot more.
Acting like a true threat actor, I recorded any information about him that I could find online, as a third party would, without submitting any friend requests or follows on his social media. Although some bad actors could, in fact, request a connection with their targets, I thought this experiment would be best if I kept my distance, as I do in fact know a lot about him.
It didn’t take long to find out a tremendous amount of information about him, especially through his public Instagram feed and wide-open Facebook posts. I was keen to locate dates and numbers that meant something to him, so I dug around for birthdays and anything else that looked of chronological interest. I soon found the birth dates both for Paul and his son – I only needed to look at several public posts he made across his social networks before, during and after their birthdays. It didn’t take a genius to work out the exact days on which they each were born, so I noted these dates of interest and moved on to the next part of the experiment.
Most people in the UK use one of a small number of telecommunication companies, so I decided to start with one. Bingo. I got lucky with the first company, as it was the one he was with. After going through the system and getting hold of the very helpful agent, I said I was Paul and gave his corresponding phone number to which I then had to pass security. The security for most of these telecommunication companies is to prove who you are by giving two digits from a previously agreed PIN code. There will be lots of people who memorize their credit card PIN numbers or the code to unlock their phone, but this is largely due to muscle memory and the need to actively use these codes.
However, I would doubt many people log into their phone provider’s account often enough to have memorized this code. Therefore, people fall into trap 1: using a PIN that is relevant and easily memorable to themselves, such as a birth date.
Which is exactly what came in handy for my experiment. I don’t know how many cracks at the right digits you get, but it is certainly more than one. Suffice to say, then, that as part of the verification process I first submitted ‘1’ and ‘1’ (Paul’s son was born in 2011). It was wrong, but the helpful agent gave me another go. This time I went for ‘8’ and ‘2’ (Paul was born in 1982), to which her reply was that I passed security and was asked to describe my problem in greater detail.
I gave a distressed detailed account of how my phone had been stolen, that it was vital that the SIM card was stopped and that I had purchased a new SIM card and therefore needed it ported across. I had a new SIM card in my hand ready to place into a spare phone. I gave the agent the new SIM number and she said that my number would be ported within a few hours.
At this stage, all Paul would have noticed is that his network signal would have dropped out and no text messages would have landed on his phone. He would still have been able to access the internet should he have been on Wi-Fi, which he actually was, as he was in the office when I called his mobile provider.
Within two hours after turning my spare phone on and off multiple times, I was granted full access to Paul’s number. I tested it by ringing my phone from my spare phone and true to the word of the agent, this new SIM in my spare phone was now acting as Paul, as his name appeared on my phone when it rang. This is where the danger really can start.
The consequences of the attack
I knew it was only a matter of time before Paul would figure something was up, so I went to his website and noted the host, which was a popular website builder. I was able to use his email address against the “forgotten password” link (a hacker’s favorite button) to submit my request and see what would happen.
As he is moderately aware of cyberattacks, he had two-factor authentication (2FA) set up but to my joy, only via SMS – trap 2. I clicked through the appropriate pages and within seconds I had a code sent via SMS to my spare phone. I entered this back on the website and hey presto, I was given the opportunity to change his password.
I could have potentially continued completing similar actions on his social media and web-based email too, but I thought I had made my point and decided to retract. While I was there though, I did think it would be fun to place a huge smiling mugshot of myself on his front page which made for an interesting chat when I rang him on his landline to tell him his updated website was looking great currently. Needless to say, he was gobsmacked with what he saw, but was more impressed at how quickly I had taken control of his most valuable asset.
How to protect yourself from SIM swap fraud
Anyone reading this will now hopefully be wondering how they can protect their accounts. There are two main ways to thwart SIM swap attacks:
- Never use anything linked to you in your PIN codes or passwords.
- Where possible, replace SMS-based 2FA with an authenticator app or physical security key.
This would have stopped me from gaining access to Paul’s mobile phone account, but more importantly, it would have stopped me from changing his passwords. Once these are stolen, criminal hackers can easily block the genuine account holders out of their accounts and it can be extremely difficult or even impossible to regain control over them. The consequences can be particularly dire for your bank, email and social media accounts.
As for Paul, I gave him access back to his SIM and website, helped him set up an authenticator app and he changed his mobile phone provider’s PIN code. I also helped him remember this code by way of teaching him the ways of a password manager. Just as importantly, I advised him to stop sharing sensitive personal information on social media and to limit the number of people who can see his posts or other material there.