Manfred Bremmer deals with (almost) everything that falls into the areas of mobile computing and communications. He prefers to take a close look at mobile solutions, operating systems, apps and end devices and check them for their business suitability. Bremmer is interested in gadgets of all kinds and also tests them.
Since practically everyone now owns a cell phone or smartphone and carries it with them at all times, mobile devices are increasingly being used to verify personal identity, especially through online services. To do this, a one-time passcode is sent through to the user’s cell phone via SMS or voicemail. This must then enter the code for authentication on a website or app, possibly as part of a multi-factor authentication (MFA) or to recover an account.
Cell phone users beware: Criminals take advantage of the trick with the replacement SIM card to access personal services such as online banking.
Photo: Prostock-studio – shutterstock.com
This is a user-friendly and supposedly secure method. But the fact that most users have their mobile numbers linked to bank, email and social media accounts is also attracting attackers to the scene. If they gain access to someone else’s cell phone number via SIM swapping, they can use it for a variety of criminal purposes. So an attacker gets all SMS and calls forwarded or can text or call – for example chargeable services abroad – himself.
He is also able to usurp (almost) the entire online presence by hacking accounts that require cellular-based authentication (z.B. Twitter) or recovery of the password is possible – this includes, for example, Gmail, Facebook or Instagram. Prominent victims include Twitter co-founder and CEO Jack Dorsey or actress Jessica Alba: their Twitter accounts were hacked via SIM swapping to subsequently send offensive posts on the platform.
It becomes more expensive if the victim uses the mTAN or smsTAN procedure to authorize online transfers, i.e. the bank sends the transaction number to the customer by text message. If the hacker also has the access data for online banking, he can empty his victim’s account from the comfort of his own home. The fact that this method is not only used across the pond, but also in this country, is documented by a report from the Bavarian Cybercrime Center (Zentralstelle Cybercrime Bayern). This arrested a trio of criminals in mid-2019 who used SIM swapping to gain access to at least 27 other people’s bank accounts and make wire transfers.
How SIM swapping works
The preferred method for hijacking a mobile phone number is SIM swapping, SIM swapping or SIM hijacking. SIM swapping is usually done through the customer portal or the customer hotline of the mobile provider. The hacker pretends to be his victim and applies for a new SIM, for example, because his cell phone and SIM card have been lost or no longer fit the new smartphone because of the format. Or else cancels the contract and applies for number portability/phone number porting to the new provider.
In both cases, of course, it is not enough just to provide the mobile phone number; the hacker must provide additional personal information about the victim, such as date of birth, address or customer password – data that he has obtained on social networks (social engineering), received via phishing mails or bought on the darknet, for example. When calling the service center of the mobile phone provider, with a little persuasion, more easily accessible data can be enough for the employee to comply with the change request despite the lack of legitimacy.
In the case of conventional SIM cards, the attacker must then obtain the physical SIM, for example by intercepting the letter from the mobile network provider or providing a different address. This is easier with an eSIM, which is supported by the last two smartphone generations from Apple and Google: Here, the built-in chip is described electronically with the eSIM profile.
Had your mobile phone number stolen?
If text messaging, cell phone calls and mobile data connections are suddenly no longer possible, this can be an indication that the phone number may have changed hands. However, it is more likely that you are simply in a dead zone or experiencing a technical malfunction of the mobile network.
It is more obvious when you suddenly cannot access various services or register unusual transactions on your account. Since many attackers are nocturnal, they often don’t notice the problems until the next morning – by which time it is usually too late.
How to protect yourself from SIM swapping
When protecting against SIM swapping, many tips apply that also help with other scams on the Internet:
Use an up-to-date operating system with the latest security updates and, where it makes sense, antivirus software.
Do not use a single password for different online services, but use an individual code for each, which is also sufficiently long and complex.
Enable two-factor authentication as an additional component of secure passwords.
Check occasionally if there was a data leak from one of the services you use and your data got into the wrong hands. Hints for this are provided by the Identity Leak Checker from the Hasso-Plattner-Institute or haveibeenpwned.com.
Beware of phishing emails: reputable companies, especially banks, never ask their customers to disclose personal data via a link in an email.
Mobile operators have also taken precautions after the first cases of SIM swapping emerged in Germany. Telekom, for example, has been offering identification by voice (voice ID) since the summer of 2018; at Telekom, Vodafone and o2, a special customer password is mandatory when calling the customer hotline. Use these options.
It is also recommended – if possible – to choose another method like FaceID or YubiKey – for two-factor authentication instead of SMS or phone call.