Protection against SIM swap scam

The SIM swap scam is when an attacker contacts your mobile carrier and gets your phone number ported to their SIM card. Then all your SMS and phone calls will arrive at their phone. This can be done by social engineering (calling the carrier and pretending to be you and that you lost your phone) or simply by offering an employee money to help with the scam and swap the SIM. For that reason, 2-factor authentication using SMS is not as secure as other 2FA methods such as TOTP or hardware keys. Nevertheless, it is sometimes the only option offered.

So I’m wondering what’s the best way to prevent it?

Maybe having a second phone number that you use for important accounts but you don’t use elsewhere, so that an attacker will only know you normal number and therefore attempt to swap the wrong number?

Use VoIP and have a SIM only for data if you even need cellular data in the first place.

The best ways, I don’t know, but what I’ve heard are:

  1. Use a different one for your important accounts (recover & 2FA); don’t use it for anything else.
  2. Have better authentication with your carrier; some carrier can challenge with a PIN when talking with them.
  3. eSIM to prevent the SIM info from being copied when servicing the phone
  4. SIM lock PIN to make it harder for certain situations ( without the 3 )
  5. Prepare to be able to recover your number quickly

SIM swap scams are a real threat and relying on SMS for 2FA is just asking for trouble, It’s one of the weakest forms of two-factor authentication out there but hey, some services are still stuck in the stone age, offering it as the only option

Your idea of using a second phone number isn’t bad, but attackers can still find ways to get that number if they’re determined enough, therefore the real solution is to ditch SMS 2FA entirely whenever possible

You should use authenticator apps and hardware keys, also some carriers offer additional PIN protection for your SIM card, set that up to make it harder for attackers to port your number and store/create recovery codes for your accounts

How does that work? For example it won’t work with Deutsche Telekom, because you can have only one active SIM. If you receive a replacement SIM, previous one will be deactivated automatically. If you want to use multiple SIM cards at the same then you need to buy MultiSIM option, which is not free.

Also, unless you are using some cheap provider or prepaid options, your SIM will be eSIM. Activation code is only accessible from your account portal or via post.

Sim Swapping is virtually non-existent in Europe (at least Northern EU) because we receive a new sim card by the mail when we change operator, even if we stay with the same phone number.

Now of course someone could intercept your mail, but this isn’t trivial.

1 Like

I guess you mean one active SIM (subscription) per person (identity). If someone uses multiple identities, which scammers might do, it is possible to get hold of multiple subscriptions/cards.

I’ll describe one method of what I imagine to be a viable SIM swapping attack, based on one experience of doing the same thing once not as an attack but as a legitimate customer.

An attacker could impersonate the victim’s subscription in order to gain control of the subscription. The attacker contacts operator B and claims ownership over the victim’s subscription at operator A: “I’m a customer of operator A with phone number xxx-xxxx-xxxx. I wish to leave operator A and join you. Can you please port my phone number to your company?” As long as the identity claimed by the attacker (either their own or the victim’s) doesn’t already have a subscription with operator B, this attack might work depending on how strictly the operators perform identity checks.

Whichever identity is used, the attacker receives a new SIM card and the victim’s SIM card will no longer work. If the attacker uses their own identity (unlikely I imagine), the victim can get a new subscription but may not be able to recover their original phone number. If the attacker uses the victim’s identity, the victim also has an identity fraud problem.

I guess this might mitigate SIM swapping attack if the attacker claims the victim’s identity, as long as the attacker cannot change the postal address where the new SIM card will be mailed to. Does Deutsche Telekom do this?

Considering this risk, and assuming SMS-based 2FA is unavoidable, the following measures might be available. (Some of these were suggested by @Polymer7229)

  • Keep your phone number as secret as possible. (Not very practical if you have only one subscription, but if you can’t get another subscription then do this.)
  • Use an alternative phone number exclusively for 2FA and other important purposes, and keep it secret. (Subscribe with another operator if need be.)
  • Tell your operator(s) to lock your subscription(s).
  • Establish some kind of authenticated communication method with your operator(s), for example a PIN.
1 Like

Deutsche Telekom and other operators are using either video call or identity verification apps. Apps require your physical ID card plus your selfie as a video. If you want to do manual identity verification, like when you first create your account, you need to prove your address first. To do that you need to give them your address registration document, signed by your regional administration office and it must not older than three months.

Another point, if you have a running contract, you can’t immediately move your number to another provider. You can make the request but movement will happen after your contract ends, and you will get lots of emails, SMSes and legal documents by post in the meantime.

I recently started a port of my number from Public Mobile (a reseller of Telus in Canada) to a voip provider.

PM doesn’t have physical stores anyone can visit or a way to phone support - it’s all in their community and live chat. Just to log in and chat with support a criminal needs my phone/sim to respond to the sms 2fa challenge.

Perhaps find out what steps your carrier requires for you to port your number.