Your Mobile Phone number is the key to so much of your life, it’s not just how people contact you, it’s how banks, social networks and any number of organisations you interact with actually verify you are who you say you are. So, protecting your phone number and your SIM card is critical.
Reports today published on the ABC about an Aussie who sadly fell victim to a SIM swapping scam – losing his Optus phone number and as a result thousands of dollars.
The problem is – if someone else has your physical phone, or, even worse – takes control of your phone number for them to use themselves, they can get those verification text messages and potentially do things like transfer money from your bank accounts, or log into websites or services that use an SMS message as a method of verification.
In the case of the poor fella, Townsville business owner Andrew Ryder reported on by the ABC, he was a victim of a “SIM SWAP”.
What is a SIM SWAP?
If you drop your phone off a bridge and can’t recover it – you need to go to your telco and get a new SIM card, and have your existing number put onto that SIM. There might be many other reasons why you choose to do a SIM SWAP, perhaps you’re keen to get an eSIM instead of a Physical SIM, or even the opposite.
Whatever the case, it’s perfectly acceptable for you to get a new SIM for your existing number.
This can be done online in many cases, logging into your account and requesting a new SIM card is sent out, or even getting an eSIM in an instant via email.
How can Scammers use a SIM SWAP?
The problem starts when a Scammer or Hacker is far deeper into your life than you might already know. EFTM suspects this is exactly what happened to Andrew Ryder, though we can’t confirm it.
Let’s say a Scammer cracks into your email. They got your email and a random set of passwords you’ve used on different websites by accessing the millions and millions of records of personal data out there on the Dark Web.
By using that same password (yep, we know you are likely to be sharing that password across sites), they might get in with ease, or use patterns in your password to simply guess your new password.
Once in your email, they can essentially control anything. Like, for example, your Optus account? Attempt to login with that password, no luck? Fine, we’ll use the Forgotten Password link. Yep, that gets sent to your email address, which the scammer has access to, and they can then reset you.
When they are in your telco account, they can request that new SIM card. Even update your address details. It’s most likely they’ll do an eSIM to prevent physical location tracking of the hacker.
Now they have your NEW SIM card, they can log into other services, like – your bank.
How do banks protect you from new transfers of $10,000? They send an SMS verification code. And you know who’s getting that – yep the scammer.
You got a text message on your phone during this process, but that was just a notification that the old SIM was being deactivated. There’s no way to add an authentication here, because if you needed a code from that SIM card, pretty hard to do when it’s at the bottom of the harbour.
From here, the scam escalates, big time. Because now they’ll take your phone number to another telco and your control of it is very, very difficult to regain. This is a SIM PORTING Scam, and it’s a real problem if it happens.
What is a SIM PORTING SCAM?
Essentially, the scammer takes your phone number, transfers it to another telco, completely out of your control and of course allowing them to reset any number of services and make a real financial impact on you.
How can I protect myself?
SIM Porting is well regulated, and requires a verification from the existing “owner” of the number – but in the case that number is now in the hands of a scammer, the verification is never seen by the original owner.
SIM Swapping is not in it of itself a scam, it’s extremely unlikely to happen without some other greater level of hack, or fraud being committed in the first place.
Most likely this is a result of someone stealing your identity, and hacking your account.s
Key recommendations I would make are:
- Ensure you have two factor authentication (2FA) enabled on all your accounts, Email, Bank, Social Media
- Use different, strong and unique passwords for Bank, Email and Social Media Accounts
- Change your banking and email passwords regularly.
- Do not ignore SMS or other communications from your Banks, or Telcos – but, interact with those companies via their own formal channels – do not click links in SMS messages or emails?
What is the best Two Factor Authentication?
Honestly, SMS verification is too risky, and has this SMS Porting scam as a risk that hangs over it.
I recommend Authy – an app which you can use to enable a secure authentication into many things like email, banking, social media accounts. This app creates a new six digit code every 30 seconds, and is a strong secure way to protect your accounts.
Can’t the Telcos stop this?
The Telcos are doing everything they can to stop this, but in the end, this case wasn’t a telco issue – it was a user security issue.
For their part, an Optus Spokesperson told EFTM “There are protections to prevent unauthorised SIM-swaps and mobile phone porting, but SIM-swap and porting fraud can occur when criminals have stolen personal information, including passwords, and can use this to impersonate a customer to request a new SIM or initiate a port.
In the specific case referenced here, Optus say “Our customer care experts acted quickly when made aware of this issue and the customer has now regained control of their mobile number.
Going on to say “Optus, along with the wider telco industry, continues to enhance existing protocols and controls to prevent unauthorised access to customers’ accounts and services.
“We encourage customers to be vigilant about the security of their personal information, regularly change their passwords, not re-use passwords between multiple accounts, and be wary of sharing their personal details and identity documents. “
Stay safe folks, keep an eye on your SMS messages!
