What do Twitter CEO Jack Dorsey and pop star Selena Gomez have in common? Aside from being household names, both celebrities are victims of SIM swapping, a nefarious type of cell phone fraud that’s on the rise.
A SIM card is that little rectangular chip, or integrated circuit, inside your phone which stores your phone number and other details identifying and verifying the mobile device as yours. While “SIM swapping” and “SIM jacking” sound like crimes in which someone removes your SIM card and replaces it with their own, that’s not what this type of attack involves.
“SIM swapping is the name for the crime where someone convinces your phone carrier to transfer your SIM to a phone controlled by the criminal,” explains Steven Weisman, law professor at Bentley University and author of the book Identity Theft Alert. “Through SIM swaps, criminals can the reset passwords of online accounts and request authentication codes be sent to their phones, which will render many extra security measures useless.”
In other words, in a SIM swap attack, a scammer remotely hijacks your phone number and sets it up on another device to steal your mobile identity. The ramifications of this can go far beyond simply putting your phone out of commission. In the worst-case scenario, controlling your SIM card gives the thief access to all of your personal accounts.
How is this possible? By now, you may have become accustomed to using two-factor authentication to log in to sensitive web services like financial and health care accounts. When you reset a password or log in from a new device, you often get a text message providing a PIN that’s needed to complete your request. Imagine all of those text messages going to a thief instead of you. With your SIM, the attacker would be able to access every account that’s tied to your phone number.
SIM swapping is becoming a big deal: Annual complaints and total losses nationwide have been steadily increasing over the past five years. The FBI’s Internet Crime Complaint Center uncovered a group of cyber scammers who single-handedly targeted hundreds of victims and made off with $40 million in stolen funds through such attacks.