What is SIM swapping and how to defend yourself

SIM swapping or swap is an attack technique that allows cybercriminals to steal a user's phone number and access certain online services that use the phone number as an authentication system.
This is how to defend yourself.

A SIM card (Subscriber Identity Module) is a plastic card with an integrated chip that securely stores certain data from your mobile phone, such as your phone number, address book, settings, and text messages.

When you purchase service with a mobile phone provider, you receive a SIM card to be installed on your smartphone. Once installed and activated, the smartphone is ready to receive calls, data, and SMS messages.

Ogni SIM card ha la sua data di scadenza, e in genere la validità è di 12 mesi dal giorno dell’attivazione o dall’ultima operazione di ricarica. Let's see in which cases you may need a duplicate of your SIM card:

• When the SIM card deteriorates and stops working.
• When you lose your cell phone or it is stolen, and you buy another one.

• When you change your smartphone and the new one requires a different SIM card format.

Quando il tuo operatore emette un duplicato, di solito annulla la SIM card vecchia, anche se in alcuni casi le mantiene entrambe attive, come ad esempio quando vuoi usare lo stesso numero di telefono in un altro dispositivo (un altro smartphone, un tablet, un computer portatile, la tua auto, ecc.).

This procedure depends on each mobile phone provider and, generally, you will be asked to identify yourself to verify that you are actually the customer with whom that phone number is associated before the new SIM card is issued.

 

A SIM swapping attack is a type of fraud that affects mobile phone operators. 

Through deception, cybercriminals impersonate the legitimate customer and obtain an unauthorized duplicate of his or her SIM card.

The term "swapping" is used as a reference to the exchange of cards: cybercriminals manage to "swap" the SIM card by deactivating the original SIM in the customer's possession and replacing it with the one delivered by the operator. 

Once in possession of the duplicate SIM, cybercriminals take control of your phone number and carry out fraudulent transactions with companies, banks, and organizations where the smartphone serves as a means of notification or confirmation for transactions, such as receiving passwords via SMS messages. 

They can also manipulate our social channels and other applications (e-mail, etc.), for which the username or mechanism for recovering forgotten passwords is linked to our mobile phone number. They can also access messages, steal accounts, and change passwords to prevent you from regaining control of them.

 

SIM swapping fraud does not affect all mobile operators equally, since it depends on the security of customer identification processes when requesting a duplicate SIM card and the dexterity of criminals in falsifying identity documents and deceiving customer service operators.

In some cases, the personal data required by the operator to issue the duplicate is obtained even earlier, directly from the legitimate user, through the phishing technique.

Once the SIM card of your smartphone has been duplicated, they will be able to receive your SMS (including those sent by your bank to verify a transaction) and intervene in the two-step authentication process. In doing so, they can change your passwords and make transactions using your bank accounts, such as requesting a loan or ordering wire transfers from your account to others under their control.

 

The most immediate and serious consequence of a SIM swapping attack is the deactivation of the legitimate user's phone line. You will no longer be able to make or receive phone calls with your mobile phone, you will have no mobile data, and you will not receive SMS messages. The line has been transferred to the new SIM in the possession of the cybercriminal.

Sometimes, it can take hours before you realize what has happened, since we access Internet data via a Wi-Fi connection, make phone calls via social media applications, are traveling in another country or in areas where there is no signal, or we simply have the smartphone in silent mode to not receive calls.

Therefore, it is very important to be attentive, in order to quickly identify the following signs:

• The line is interrupted: when you try to make a phone call from places with good coverage, you cannot get on the line, while other people with you can.
• Basic information is not displayed on the screen: the name of the operator, the signal-level indicator, and the type of network you have access to (5G, 4G, 3G...) disappear from the phone screen. 
• You get dropped calls and, when you try to call again, you realize you cannot.
• You have no data on your mobile phone when you are not connected to a Wi-Fi network.

In some cases, if your carrier offers this service, cybercriminals can also request a second SIM card for the same number, without deactivating the original one. That way, they can activate a second telephone in parallel with the same line.

In this case, even if you can make calls and have data, you will notice another type of strange behavior:

• SMS messages containing passwords: you receive an SMS with the passwords of your bank and you are not carrying out any operations;
• calls from strangers: you receive calls or have missed calls from people you do not know or from companies you have no dealings with;
• unusual billing: your carrier charges you for an additional SIM card on your monthly bill, or there is a major increase in the monthly amount, international calls, etc.
• new SMS notifications: you receive advertisements and notifications from companies you have no dealings with.

If one of the situations described above occurs, you are right to suspect that you are a victim of SIM swapping.

 

 If you have experienced a SIM swapping attack, it is important to act quickly to prevent cybercriminals from continuing to use your mobile phone line to commit fraud:

• Block the new SIM card: contact your telephone operator and ask for confirmation of the actual issue of a duplicate; in this case, immediately request the blocking of the fraudulent SIM and the issuance of a new one to recover your phone line as soon as possible: you will need it to verify your bank accounts, social channels, etc.
• File a complaint: if you realize that you have suffered an economic loss, consider the possibility of reporting it in person to the nearest police station, which can be consulted in the List of Points of Interest by the Police Offices (Police Headquarters and Commissariats). I criminali informatici potrebbero aver realizzato altre azioni (come il sequestro degli account sui canali social, la stipula fraudolenta di servizi, ecc.) e le aziende potrebbero richiederti una copia della denuncia per poter agire.
• Report the problem to your bank. Through the channels enabled to report these cases, ask your bank to check recent activity on your accounts and to block your cards.
• Check your most common accounts: verify that you still have access to your accounts, especially those for which you use your phone number as an identifier or as a channel to recover forgotten passwords. If you have lost access, re-create your passwords and contact the companies, so they can tell you how to proceed.

 

In most cases, a person is aware that they have experienced a SIM swap only when their mobile phone is already inoperative.

However, there are some actions you can take to avoid being a victim of SIM swapping:

• Contact your carrier to find out their procedure for requesting a duplicate of your SIM card and what data you need to provide. This will help you know what information a cybercriminal might need to get a duplicate.
• Learn to identify yourself and protect yourself from the techniques cybercriminals often use to obtain your personal data: phishing, vishing, smishing, pharming, ecc.
• Where possible, configure your social media and forum accounts so that your mobile number and other additional personal information are not publicly visible.
• Pay attention to paper documents, such as receipts, invoices, proofs of purchase, etc. Destroy them before throwing them away, especially if they contain personal data.