Ngā whakaeke whakawhiti SIM

SIM swapping attacks

A SIM swap attack is when your phone number is transferred to someone else's SIM card without your knowledge, giving them access to your personal information.

What it is

swapping – which is also known as SIM porting or SIM hijacking – is where an attacker tricks your mobile phone provider into transferring your phone number to their SIM card without your knowledge.

How it works

First, an attacker will try to get hold of private information that they can use to impersonate you, like your date of birth and address. For example, they could find details about you from:

  • your social media accounts
  • private information that's been leaked
  • information that's publicly available online.

The attacker will then contact your mobile phone company pretending to be you, and if they've found out the right type of information, they'll use it to answer any security questions the provider asks. Then they'll ask to have your mobile phone number transferred to their SIM card. Once they've done that, they can access your text messages and voicemail, all without you knowing.

This kind of attack brings a lot of risk with it.

If an attacker gets access to your text messages and voicemail, it would give them access to a lot of personal information they could use to perform sensitive tasks. For example, if they can find out or guess the password for any of your other accounts, like your email or bank account, they could:

  • change your passwords, denying you access to your accounts
  • authorise financial transactions from your bank accounts.

And, if you're using text based (2FA) as an extra layer of protection on any other accounts, they'll be able to see the access codes and use them to get into those accounts.

Two-factor authentication

Steps to SIM swapping 

SIM swapping attacks diagram

View long description

  1. Attacker calls target's mobile provider and requests that the target's mobile number is transferred.
  2. Number ls transferred to a different SIM, target unaware. 
  3. Attacker tries to access target's account, either using stolen credentials or requesting a password reset. 
  4. The 2FA code is sent via SMS to the attacker and they can access the account. 
  5. Target only becomes aware when their phone is disconnected or they're locked out of an account