You’ve done the usual things to protect your sensitive accounts. You use a unique password. You have alerts sent to your phone. But a thief could still bypass all that with a simple “hack”—stealing your phone number from right under your nose. And now there’s a new variant of it in the wild.
What’s SIM jacking?
This attack is called SIM jacking, where someone transfers your phone number to a SIM card in their possession. Afterward, they break into your bank account (and any others that rely on phone calls or SMS for verification). They don’t need your password, either. It can be trivial to complete a password reset with access to those codes.
In this fresh spinoff on SIM swapping, attackers skip social engineering and head straight for your mobile account, as reported by Bleeping Computer. If they’re able to successfully plug in a leaked, stolen, or even guessed password, they can use a feature meant for easy phone switches—scanning a QR code—to transfer your number to their phone’s eSIM. Embedded SIMs can be found on many modern phones and are compatible with all major carriers, making such thievery less complex overall.
Previously, a successful SIM swap had to be performed by walking into a store or calling customer service, and then convincing an employee to make the switch. Alternatively, someone on the inside helped with the fraud.
You’ll know immediately if you’re the victim of a SIM jacking, as your phone will lose its service because it’s no longer associated with your account.
How do I protect myself from SIM jacking?
To protect yourself from this new kind of SIM jacking, you should use a unique, random, and strong password for your mobile account. If available, you should also enable two-factor authentication (2FA), and/or set a PIN for account changes. (Note: Having a PIN that prevents unauthorized phone number transfers to a new mobile service also helps your overall security, but doesn’t protect against SIM swaps.)
Unfortunately, not all cell phone providers protect online accounts with 2FA and these steps won’t thwart SIM jacking done through social engineering. So you’ll want to strengthen the security of your most important accounts, too. Use extremely complex (and long) passwords, enable software or hardware-key 2FA where available, and make sure the email account they’re tied to are also well-secured.
Extra steps you can take are using a second phone number for SMS-based 2FA when it just can’t be avoided. Or switching banks (and other services) to providers who do offer modern, proper 2FA. If you decide to get a second cell line, you can put an old phone on cheap cell phone plan or use a Google Voice number. (However, Google Voice numbers aren’t supported by all services for SMS 2FA, since it uses VOIP service and to thwart potential fraud, some institutions ban their use.)
But if you first shore up your password game and use stronger forms of 2FA, you’ll already be much better off. You can check out our suggestions for good password managers if you don’t already use one—and if you need a run-down on 2FA options, we’ve got a guide on that as well.