Critical Path Security guidelines for defending against the increasingly common SIM swap attack.

So what is a SIM swap attack?  A SIM swap attack is when a criminal tricks a customer service representative at a cellular service provider into reassigning the victim’s phone number to a phone that the criminal has.  After they successfully get the SIM swapped to their phone they are able to receive the text messages used as a second form of verification to reset passwords for many online services and apps.  Then they can login to your bank accounts, email and social media.

Who should be concerned? Everyone.  Recently, Jack Dorsey the CEO of Twitter was a victim so it can happen to anyone!

What can I do to protect myself? The first thing you should do is contact your service provider and add a PIN to your account, this is to prevent a criminal from masquerading as you and changing devices or even who can access your account.  Second, you should review your online services and apps containing sensitive information to see if they have multi-factor authentication(MFA) options that are more secure than SMS text messages. Critical Path Security recommends using MFA solutions such as Google Authenticator, DUO and others that do not rely solely on your phone number. 

Multi-Factor Authentication Utility Comparison

Limit the amount of personal information you share online. Criminals will research you to find out personal details such as important dates and names to use to build trust with the customer service rep who ultimately holds the keys to your SIM, so avoid using those special dates as pin numbers!  

If you’re a victim of a SIM swapping attack you should contact your cell phone service provider to take back control of your phone.  After that you must change every password that you have. Check with your bank and credit cards for fraudulent charges And file a report with your local police department. We are always happy to answer questions, so if you have any send us an email

Leave a Reply