- 25 Jul 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
An Overview of SIM Hijacking
- Updated on 25 Jul 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
SIM hijacking is a cyberattack that can cause victims a lot of headaches. It became notable enough for law enforcement agencies, such as the FBI, to issue warnings about SIM hijacking.
This client guide will explain what SIM hijacking is, and how you can protect yourself from this cyber attack.
What is SIM Hijacking?
SIM hijacking occurs when cybercriminals take control of the SIM card controlling a victim’s phone number. Cybercriminals have two primary methods to perform such an attack. First, they can social engineer a mobile provider support representative and request the targeted phone number be transferred to a SIM card under their control.
Another common attack method is to hack into a victim’s mobile carrier account and do a phone number “port.” This moves the phone number from the victim’s account to the attacker’s mobile account of their choosing.
Once the mobile phone number is in an adversary’s possession, cybercriminals can route calls and texts to devices that they control. This can give them access to email accounts, bank accounts, and cryptocurrency accounts to reset passwords and reroute two-factor authentication codes.
How Can I Protect Myself?
- Use a SIM PIN – A SIM PIN is one of the most effective ways to protect your SIM card if cybercriminals have physical access to your lost or stolen phone. A SIM PIN prompt appears anytime the phone is restarted or whenever the SIM card is inserted into a new phone.
- Use an Authenticator App – Apps such as Authy, Google Authenticator, 1Password and others use a six-digit code from the authenticator app, eliminating the need to text codes. Use the authenticator app for all providers that allow them. Many financial institutions do not allow the use of authenticator apps, in which case email authentication is the best choice. (To learn how to set up Google Authenticator and Authy, please watch this on-demand webinar.)
- Use a PIN for Your Mobile Provider Account – Mobile providers typically allow you to create a PIN for use when you want to access your account. If a SIM scammer does not know your mobile provider account PIN, the provider should not provide the scammer with any account information.
To learn how to perform these tasks, please consult our Wireless Carrier Security client guide.