My SIM card was hacked

Mobile & Apps

Since practically everyone now has a cell phone or smartphone and always has it with them, mobile devices are increasingly being used to verify personal identity, especially through online services. To do this, a one-time passcode is sent to the user's cell phone via SMS or Voicemail. They then have to enter the code for authentication on a website or app, possibly as part of multi-factor authentication (MFA) or to restore an account.

This is a user-friendly and supposedly safe method. But the fact that most users have their cell phone numbers linked to bank, email and social media accounts also attracts attackers. If you gain access to someone else's cell phone number via SIM swapping, you can use it for a number of criminal purposes. An attacker gets all SMS and calls forwarded or can text messages himself or - for example, pay for services abroad - call.

He is also able to usurp (almost) the entire online presence by hacking accounts for which cellular-based authentication (e.g. Twitter) or password recovery is possible - including, for example, Gmail, Facebook or Instagram. Prominent victims include Twitter co-founder and CEO Jack Dorsey and actress Jessica Alba: Their Twitter accounts were hacked via SIM swapping in order to subsequently send offensive posts on the platform.

It becomes expensive if the victim uses the mTAN or smsTAN procedure to approve online transfers, i.e. the bank sends the transaction number to the customer via SMS. If the hacker also has the access data for online banking, he can conveniently empty his victim's account from home. A report from the Central Office Cybercrime Bavaria documents that this method is not only used across the pond, but also in this country. In mid-2019, they arrested a trio of criminals who obtained SIM swapping access to at least 27 third-party bank accounts and made transfers.

How SIM swapping works

The preferred method for hijacking a cell phone number is SIM swapping, SIM swapping or SIM hijacking. SIM swapping is usually done via the customer portal or the customer hotline of the mobile phone provider. There the hacker pretends to be his victim and applies for a new SIM, for example because his mobile phone and SIM card have been lost or because of the format no longer fits the new smartphone. Or he cancels the contract and applies for number portability / number porting to the new provider.

In both cases, it is of course not enough to just state the mobile phone number; the hacker has to provide additional personal information about the victim, such as date of birth, address or customer password - data that he obtained from social networks (social engineering), received via phishing emails or bought on the darknet. When calling the service center of the mobile phone provider, with a little persuasion, more easily accessible data can be sufficient for the employee to comply with the change request despite the lack of legitimation.

The attacker then has to obtain the physical SIM from conventional SIM cards, for example by intercepting the letter from the cell phone provider or by providing a different address. This is easier with an eSIM, which supports the last two smartphone generations from Apple and Google: Here, the built-in chip is described electronically with the eSIM profile.

Has your cell phone number been stolen?

If SMS sending, cell phone calls and mobile data connections are suddenly no longer possible, this can be an indication that the phone number may have changed hands. It is more likely, however, that you are simply in a dead zone or that there is a technical fault in the cellular network.

It is clearer if suddenly you can no longer access various services or if you register unusual processes on your account. Since many attackers are nocturnal, the problems are often only noticed the next morning - by then it is usually too late.

How to protect yourself from SIM swapping

When it comes to protecting against SIM swapping, there are many tips that also help with other scams on the Internet:

  • Use an up-to-date operating system with the latest security updates and - where it makes sense - antivirus software.

  • Do not use a uniform password for different online services, but rather an individual code that is sufficiently long and complex.

  • Enable two-factor authentication as an additional component of secure passwords.

  • Occasionally check to see if there has been a data breach in any of the services you use and your data has fallen into the wrong hands. The Identity Leak Checker from the Hasso Plattner Institute or haveibeenpwned.com provides information on this.

  • Beware of phishing emails: reputable companies, especially banks, never ask their customers to reveal personal data via a link in an email.

The mobile network operators have also taken precautions after the first SIM swapping cases in Germany. For example, Telekom has been offering voice identification (voice ID) since the summer of 2018, while Telekom, Vodafone and o2 require a special customer password on the customer hotline. Take advantage of these opportunities.

  1. Admin rights
    No assignment of administrator rights to employees
  2. documentation
    Complete and regular documentation of the IT
  3. Secure passwords
    IT security begins with sensitization and training of employees as well as clear communication of the internal rules of conduct for information security:

    Complex passwords made up of upper and lower case letters, numbers and special characters, at least eight characters.
  4. Password theft
    Never pass on or / and write down confidential data.
  5. Email security
    Sign emails, encrypt sensitive data, be careful when opening email attachments and links.
  6. Social manipulation
    Handle confidential information consciously, only pass it on to authorized persons, do not manipulate or allow yourself to be eavesdropped.
  7. Be careful when surfing the internet
    Not every link leads to the desired result.
  8. Use only the latest software
    Software that is not updated leaves more security holes open.
  9. Use of your own software
    Follow company guidelines and never install software of questionable origin.
  10. Company guidelines
    Use only permitted data, software (apps) and applications.
  11. Backups
    Regularly save operational data on a network drive and back up data on external data carriers.
  12. Theft protection
    Protect mobile devices and data carriers from loss.
  13. Device access
    Do not pass devices on to third parties, do not leave mobile devices unattended and lock workstation PCs when leaving.
  14. Security guidelines
    The organizational structures in the background form the necessary framework for IT security. Here it is important to formulate clear rules and to adhere to them:

    Definition and communication of security guidelines
  15. Access rights
    Regulation of access rights to sensitive data
  16. Software updates
    Automatic and regular distribution of software updates
  17. Log files
    Control of the log files
  18. data backup
    Outsourcing of data backup
  19. Security analysis
    Regular review of the security measures through internal and external security analyzes
  20. Contingency plan
    Creation of a contingency plan for responding to system failures and attacks
  21. WLAN usage
    A minimum standard must be guaranteed at the technical level. For the most part, this can be implemented without great expense:

    Documentation of WLAN use, also by guests
  22. Firewalls
    Protection of the internet connection through firewalls
  23. Biometric factors
    Use of access protection / passwords / biometrics
  24. Access control
    Physical security / access control and documentation
  25. Protection against malware
    Protection against malware both on the end device and on the Internet gateway, ideally through two different anti-virus programs
  26. Web access
    Definition of a structured regulation of web access
  27. Encryption
    Encryption to protect files and messages with sensitive content
  28. Clear
    Secure deletion of data when decommissioning
  29. Update of the security systems
    Ensuring regular updates of the security systems
  30. Monitoring
    Permanent monitoring of the network traffic for abnormalities