Do you know that you can become a victim of identity theft and even lose your life savings within a few hours through a SIM port or SIM swap attack? SIM porting fraud is increasing by 50% every year and is a cause of worry for many Australians.
Independent cybersecurity researcher, Troy Hunt said that identity theft, SIM porting and SIM swapping are happening too frequently in Australia.
Why Should You Be Worried?
Anything and everything can go wrong and you could lose a fortune to scammers like it happened to Mr. Walkington, a telecommunication union official who lost $12,000 to SIM port fraud. The fraudsters called Telstra and had them port his number to another carrier.
He wasn’t the only one affected, the hackers used his social media accounts to scam friends and family too. Another victim, a businessman, and his wife lost $16,000 after a SIM port attack where the attacker ported their SIM from Optus to Telstra.
What Is Fraudulent SIM Porting?
This is when a scammer calls a Telco (e.g. Telstra or Optus), pretends to be you by providing personal details about you, and has your phone number transferred to another carrier.
Like it happened to Mr. Collins, when he woke up to a text from Vodafone telling him of his successful SIM port. The problem was he didn’t initiate any SIM port. He later checked his bank account and found it empty.
What Is Fraudulent SIM Swapping?
SIM swapping is quite similar to SIM porting. The difference is your number is being swapped to another number on the same network provider.
When this is done fraudulently, this allows the attacker to gain access to your mobile number which means they can hack into your online accounts or even your bank account to steal money or vital information that can be used to blackmail you.
How Does a SIM Swap Attack Work?
It usually starts with the attacker stalking you on your social media accounts, social engineering, or/and phishing schemes. In some cases, a customer care representative could be bribed to give out your information or it could be bought off the dark web.
Your information such as your mobile number, date of birth, pet names, and kids’ names can all be gotten through these means. Once they have this, they call your network provider pretending to be you and ask for a SIM swap. With persistence, they can get more hints from your customer care until they can swap your SIM. Once this is done, you’ll notice your phone will go into “SOS” mode.
Once they gain access to your phone number, they can reset passwords to your email and any other accounts linked to your phone number. If you’ve used your phone number as a means to receive 2FA codes, then they can use the “forgot password” feature to reset passwords to your accounts. Read how Michael was scammed of $24m through a SIM swap attack.
What Is Telstra Doing About It?
Now, when you want to port or swap a SIM, you have to provide a 6-digit code sent to the number you want to port from or walk into their store with a valid ID.
This method, although more secure than only locking your account with a pin, can be inconvenient. Sadly, that’s all you have against these hackers for now. Telstra gives more ways you can protect yourself if you find yourself in such a situation.
What About Optus?
For Optus, you can secure your account with a pin that will be required if you want to perform a SIM port. They also applied Telstra’s approach and claim they are working on better ways to keep their customers safe from such attacks.
These measures aren’t enough. To avoid being a victim, ensure you do all the things in the list below.
How Can You Protect Yourself From Fraudulent SIM Porting or SIM Swapping?
- Disable all text-based 2FAs you’ve created and use 2FA apps like google authenticator and Authy.
- Your SIM can’t be jacked if they don’t know your mobile number, so keep it out of the internet or public eye as much as you can.
- Note any unsolicited messages, emails, and calls. Ensure you don’t give out your personal information to a stranger.
- Enable pin or passwords on your SIM cards. Hence, when you or a hacker wants to do a SIM swap, the pin or password is required to proceed.
- Never use your personal information such as your pet or kid’s name to answer your security questions. These types of answers are easy for a hacker to guess if they’ve been stalking you.
- Call your network provider or a bank with another number and ask that your account or phone number be blocked immediately if you notice “no service” or an attempt to withdraw money from your bank that wasn’t initiated by you.
- Lock your letterbox. Identity thieves can try to get information about you by stealing your mail, locking it can prevent you from falling victim.
What to Do in Case You Suspect You Have Been Scammed
- Contact your cell phone provider immediately and notify them of the incident you suspect. This will help them block any transaction that the scammers might try to make.
- Report your incident to the Australian Competition and Consumer Commission scam watch. This website will help you recover any money that you might have lost in the hack or even help you track down the lost money or the scammer. Reporting your hacking incident here will also prevent future SIM port hacking or mobile phone SIM card hacks.
- Report the hack to your financial institution, your bank, or the police.
- Check your financial accounts for any unauthorised money transactions. If you notice any anomalies, report them to your banking institution.
- If you think your social security number may have been compromised, contact your relevant Government institution or agency.
How to Know if Your Mobile SIM Card Has Been Hacked
Here are some warning signs to look out for in case you suspect you have been SIM-swapped;
- Your social media page has posts that you never posted.
- You are notified by your cell phone carrier that they have activated your new SIM, although you didn’t make such a request.
- You can’t make any phone calls or send messages from your phone.
- You can’t log into your accounts.
Mobile phone SIM card hacking is really difficult to protect against since its part of a social engineering component. This means that it exploits the human element like emotions and the desire to be helpful.
Although some technical defense mechanisms like using 2FA through two factor authentication codes generated by an app might protect against blank SIM card or SIM hacking, the user also needs to protect their personal data to avoid being hacked.
How cyber-secure is your business? Find out with our free cybersecurity health check.
It’s a 30-minute Zoom call that walks through a checklist to assess your current cybersecurity levels and provide a short report with some advice and recommendations.