SIM hijacking, or ‘SIM-jacking’, is a dangerous new way that fraudsters can steal from people by secretly taking control of their phones, according to an article published in Inews.Co.Uk
In a growing trend, thieves are exploiting the ability of mobile service providers to ‘port’ a phone number between different SIM cards.
Normally this is a useful function. If a customer loses or breaks their phone, they can buy a replacement, and ask their mobile service provider to port their original phone number to the new phone. The provider will ask for some security information to make sure the caller is genuine, before seamlessly sending the phone number to the new SIM card.
But a series of high-profile SIM-jacking cases – including Jack Dorsey, CEO of Twitter – have uncovered how fraudsters can use phone number porting to gain access to people’s personal information and steal thousands of pounds.
How does SIM-jacking work?
First, the fraudsters have to gather the security information needed to port their victim’s phone number. They can do this by:
- Sending phishing scam emails
- Bribing employees at the victim’s mobile service provider
- Convincing you to give you them directly by gaining your trust
Once they have the security information or passwords they need, fraudsters will impersonate their victim on the phone to their mobile service provider and convince them to “port” the victim’s phone number to a new SIM card.
The victim’s phone will then lose a network connection, and any texts and calls intended for them will be received by the fraudster’s phone instead.
The Top Three Simjacker Exploits
More than 1 billion mobile subscribers worldwide are potentially exposed to Simjacker attacks, and the results could be devastating. Simjacker can be used for:
- Location tracking. A hacker can use Simjacker to trace a victim’s location and movements without the victim’s knowledge. The hacker sends an SMS message that instructs the SIM card to request the location. The hacker’s phone then receives a code showing the local cell ID of the victim’s phone, enabling the hacker to determine precisely where the cell ID is currently located. The victim’s phone shows no indication that it is being hacked.
- Call fraud. Simjacker can also be used along with fraudulent practices to steal money and valuable data from the victim. In this exploit, the hacker’s SMS code instructs the victim’s phone to place a call. The victim’s phone displays a notification text, asking the user to perform an innocuous action, such as tapping OK to continue. When the victim taps OK, the victim’s phone calls the hacker’s phone. In this way, the victim can be tricked into calling an expensive fee-based number.
- Browser exploit. In potentially the most damaging exploit, a hacker’s SMS message can instruct the victim’s phone to open a website that contains malware. The hacker can then use social engineering to trick the victim into downloading the malware, or the malware could download automatically.
Why do fraudsters do it?
Hijacking a SIM card is the first step that fraudsters need in order to get access to their victim’s money and personal information.
If you forget a password for your email or bank account, those companies will often text you a security code as part of a verification process to reset the password.
But once scammers have hijacked a SIM card, they can have those security codes sent directly to them – allowing them to reset their victim’s passwords, and access their social media, bank, and email accounts.
They can then begin withdrawing money and stealing private information from their victim.
How do I prevent it from happening?
If you are concerned about SIM-jacking, you can call your mobile service provider and ask them to add extra security to your account – like requiring a PIN code to make changes to your details.
People should make sure that every account they have – email, bank, social media, online shopping – have strong and unique passwords. This will make it harder for fraudsters to access all your accounts, even if they manage to hack into one.
You should avoid sharing too many personal details on social media. Determined fraudsters can often find many of the security details, like dates of birth and addresses, by looking through a victim’s social media.