You\u2019re sitting at your desk, and you decide to make a phone call. You\u2019re choosing what to eat for lunch. You pick up your phone and decide you\u2019re going to text a coworker to see where to go. Unfortunately, you don\u2019t have a signal on your phone. You notice your phone displays an error stating there\u2019s no SIM card.<\/p>\n
This could be a minor error with your phone\u2019s software\u2014or it could be the beginning of an\u00a0extremely<\/i>\u00a0damaging cyberattack known as SIM swapping. At this point, a cybercriminal could be breaking into your bank account, email account, or online storage. And if you have access to critical systems for your business, such as a corporate bank account or access to the corporate social media accounts, the cybercriminal could easily start to ruin your business.<\/p>\n
Managed services providers (MSPs) and managed security services providers (MSSPs) in charge of their customers\u2019 security need to know how to deal with these attacks. While you can\u2019t completely eliminate the threat, there are steps you can (and should) take to stay safe. But first, it helps to understand how these attacks occur.<\/p>\n
SIM cards store basic information about the subscriber, such as their phone number, carrier information, billing information, and in some cases, address books and contacts (note that this isn\u2019t the case with some phones). Phone providers offer the ability to swap SIM cards for convenience\u2014if a customer loses their phone or if their phone was stolen, this allows the original owner of the phone to recover their phone number and transfer the service to a new device. However, cybercriminals can attempt to impersonate a phone owner, transfer their number to a new SIM card, then use this to break into personal accounts like banking or social media.<\/p>\n
SIM swapping often starts with the cybercriminal doing some reconnaissance to discover personal information they can use in the attack. A lot of the information they\u2019ll need is publicly available, like the victim\u2019s name, home address, and phone number. They can often get social security numbers or account user names by gaining information from previous mass data breaches. However, they may also try email and text phishing scams to get even more info.<\/p>\n
Once they have enough personal information, they call the cell phone service provider, claim to be you, and ask them to transfer your phone number to a new SIM card. Since the criminals have already done some upfront recon work, they can answer security questions well enough to successfully fool the support line for your phone provider. Not all SIM swap attacks involve impersonation, though\u2014sometimes an employee for the phone provider will\u00a0initiate the swap<\/a>.<\/p>\n At this point, they\u2019ll receive all phone calls and text messages to the phone using the transferred SIM card. This is where the bad stuff starts happening. If they have your credentials and need 2FA to get into an account, they\u2019ll receive the text messages and get in immediately (and don\u2019t forget\u2014with people often reusing passwords and credentials across accounts, getting someone\u2019s password can be way too easy). They can also use password resets on accounts and receive temporary codes via SMS to change your accounts.<\/p>\n After that, it depends on their goal. Some SIM swappers have stolen social media accounts, especially\u00a0Instagram accounts<\/a>, changed the personal info on the account to make it almost impossible for the original owner to recover, and sold the usernames to third parties. Some have broken into Instagram accounts of celebrities to leak personal photos. They could change your email account\u2019s password, then start compromising other linked accounts such as bank accounts or online shopping accounts. They could do all of this and start\u00a0extorting you for money<\/a>. One SIM swapper successfully stole over\u00a0$1 million USD in cryptocurrencies<\/a>.<\/p>\n These attacks are notoriously difficult to deal with. The weak link here is the phone provider, as they\u2019re the ones allowing the SIM swap to occur. However, there are still precautions you can take.<\/p>\n First, for any mobile device you\u2019re in charge of managing, meet with the mobile service provider and have them require a designated person to physically enter the store with proper identification before making a SIM swap. You should do this on your personal devices, too.<\/p>\n Second, remember that SIM swapping often kicks off another type of attack. Once someone has a customer\u2019s mobile device, they will use that to break into other accounts. Wherever possible, consider using an authenticator app like Google Authenticator or Authy instead of SMS-based 2FA. Some services offer these options while others don\u2019t. Additionally, you could consider using physical hardware tools for authentication, such as YubiKeys or other USB-based tools, which requires users to physically possess a separate authentication device to get into an account.<\/p>\n Third, keep your own security house in order. Request that any employees for your MSP or MSSP follow these guidelines on personal devices. Imagine what could happen if a tech on your team fell victim and the attacker ended up with access to your email or RMM system. That could spell bad news for your customers as well (and your business as a whole).<\/p>\n Finally, user-awareness training can add an additional layer of security. Teach employees to be on guard against email or text-based phishing attempts or any unrequested 2FA messages they receive. This could be the start of the recon phase, where the criminal attempts to gain enough information to kick off a successful attack. Additionally, train employees to recognize the signs of a potential attack, such as an inability to send or receive calls or text messages or a message that their SIM card is missing. It\u2019s worthwhile teaching them about authenticator apps like Google Authenticator so they\u2019re aware of the flaws of current authentication schemes and know to protect accounts where stronger 2FA options are available.<\/p>\n SIM swapping has become increasingly common over the past few years. This attack doesn\u2019t require sophisticated scripting\u2014it often requires just a little bit of background information on the victim to launch a devastating attack. However, with some upfront preparation, you can hopefully prevent the attack\u2014or at least minimize the damage.<\/p>\n Additional reading<\/strong><\/p>\n by Marco Muto, director, Business Development at SolarWinds<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" SIM swapping has become an increasingly common attack vector over the past few years. Marco Muto looks at what MSPs and MSSPs need to know to protect their customers.<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-5541","post","type-post","status-publish","format-standard","hentry","topic-security"],"acf":[],"yoast_head":"\nProtecting your clients<\/h2>\n
Keeping your accounts safe<\/h2>\n
\n