- Home
- Techniques
- Mobile
- SIM Card Swap
SIM Card Swap
An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account [1] [2]. The adversary could then obtain SMS messages or hijack phone calls intended for someone else [3].
One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account [4] [5][6][7].
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
References
- New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016.
- Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018.
- Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016.
- Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016.