SIM SWAP – SECURITY TIPS

The Impact of the Scam

The victims of a “SIM swap” scam lose access to social network accounts, where scammers can publish false investment opportunities; requests for an urgent money transfer, or any type of “bait” to lead people to transfer them money through, generally, through Pix. On top of that, people lose access to their personal accounts and cell phone number. It is even possible to invade bank accounts and other financial applications.

For the entire attack to take place, the criminal has no need to have direct contact with their victims. Thus, it is quite a stealthy method.

Stealing the Phone Number

The SIM Swap scam, in short, can be understood as cloning a phone number by transferring it to a new SIM card. Cloning a chip number is a legitimate process, which mobile operators can do. Bandits, however, when have access to a user’s personal data, take advantage of the situation. To complete the SIM swap, a scammer:

• A blank chip must be obtained
• Using data from the potential victim, criminals call the operator and pass themselves as off their victims to request the activation of the new chip. They usually claim that the previous chip was lost or stolen
• Without imagining that it is a scam since the necessary data has been confirmed, the operator activates the cell phone number on the new SIM card
• Then, the attacker proceeds to access to the victim’s calls, SMS messages and saved passwords

Invading Accounts

To configure the victim’s social networks on his phone, the criminal uses the “reset password” option. If the victim has configured the layer of security called “two-factor/two-step authentication”, a verification code will be sent to the registered phone number. It is at this time that the bandit manages to “clone” the social network accounts.

Obtaining Personal Data

SIM Swap happens, in general, when the criminal is directly or indirectly infiltrated in the mobile operator or through social engineering.

In the first case, he can co-opt internal employees to provide user data or the scammer himself working at the operator.

In the case of social engineering, the criminal contacts people by posing as an official company or organization. Under a series of pretexts, he asks the user to provide some confidential data and, if he does so, the SIM Swap scam will be carried out successfully.

Another possibility is when users have leaked data on the network. Criminals often access the deep web so that people can illicitly provide a large database, giving the scammer the condition to apply chip cloning. The second indication is when all existing applications on the cell phone are suddenly disabled.

Protection

Protection begins by being careful with personal data, such as ID and CPF numbers, full name, date of birth, address, parents names etc. Having strong passwords (long, with UPPER and lower case letters, symbols and numbers) will make it harder for the criminal’s to penetrate the victim’s device. Furthermore, adding several layers of protection is also good: password, two steps identification procedures, use of biometric data to confirm fundamental changes etc.

Avoiding phishing attacks is also important. This is a method that uses messages, normally e-mails, to hack people and businesses and steal data. People must pay attention to the sender’s e-mail address, as it is possible to find some suspicious elements that characterize phishing. Use tools on computers and mobile devices, such as antivirus and firewalls. Finally, never click on links of dubious origin.

Discover If Your Phone Number is Being Used

To fight other types of scams, mobile operators have developed a web page that allows people to discover if their personal data was used by other individuals to register a new pre-paid phone line. Normally, criminals use the victim’s CPF number to do that. To discover, the CPF’s holder must access the Cadastropre page.

Source: Clear Sale; UOL; Folha de SP [1], [2].