A SIM is the tiny, removable chip in a mobile phone that allows it to connect to the provider’s network. SIM is an acronym for “subscriber identity module” and is needed for your phone to make mobile phone calls, receive and send text messages, and use any service from your phone that connects to your mobile network, including apps that use the Internet. A SIM is an identity credential and is a little like a passport you give to security that you need to go an international flight. The real world passport identifies and authenticates you to the security official. The difference with a SIM is that it is a “digital passport” that identifies and authenticates a phone to a mobile carrier’s network. To be clear, the SIM is not actually identifying and authenticating you, but rather it is identifying and authenticating a phone to a mobile network.
A SIM is made up of a physical chip card, called a “SIM card”, that is inserted into your mobile phone and and a serial number that is unique to each SIM card. The official name for this serial number is “integrated circuit card identifier” (ICCID), but most people just call it the “SIM card number” or “SIM number”. Often terms like “SIM”, “SIM card” and “SIM card number” are used interchangeably.
Your SIM card must be properly inserted into your phone and activated to your phone number by your mobile carrier in order to identify and authenticate your phone to their network.
The SIM is either installed by your carrier (for example, if you buy your phone directly from AT&T or Verizon) or by a reseller (for example, if you buy your phone from Apple or BestBuy). Regardless of where you buy your phone, your mobile carrier (eg. AT&T, Verizon, Vodafone, etc.) must “activate” your SIM card number to work specifically and exclusively with your mobile phone number. The mobile carriers store your SIM card number in your account in their database. Anyone with access to your mobile carrier’s account database can change the SIM number in your account.
Find your SIM number
For both iOS and Android, the entry titled ICCID is your SIM number.
iOS go to: Settings > General > About
Android go to: Settings > About > Status (or Phone Identity) > IMEI
You can also usually find the SIM number printed directly on the SIM card, which generally requires taking the SIM card out of your phone to see it.
Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size. There are different sizes of SIM cards.
How many SIMs are there?
Now in 2019, SIM cards are ubiquitous, allowing over 7 billion devices to connect to mobile networks around the world. According to the International Card Manufacturers Association (ICMA), there were 5.5 billion SIM cards manufactured globally in 2018 and market for SIM cards is $5.43B. The rise of IoT and 5G networks is predicted to drive the growth of the SIM card market to over 20 billion cellular devices by 2020.
Where can I learn more?
See SIM Cards on Wikipedia to learn more about the history, use and variety of SIM cards or here for a blog post by Aeris on The History of the SIM Card: Where It’s Going and Where It’s Been.
It’s generally one of a few reasons:
1. Often the criminal bribes the rep directly and the rep accepts the bribe. The going rate could be from $100 to $1000 or more. Some criminals have paid $10,000 or more to get the actual user id and password of a store manager, enabling the criminal to simply log into the database themselves.
2. Sometimes the criminals use “social engineering”, in which the criminal convinces the rep to do the SIM swap by stating personal info the criminal has gathered about the victim.
3. Another way is that the rep may simply be lax in asking for identification.
The criminals generally don’t try “only once on an occasional target”. Generally, the criminals are organized and methodical with target hit lists of customers they want to go after. Because of the very lax technical and administrative policies – and policy enforcement – by the carriers, SIM criminals can essentially SIM swap almost any mobile number they want. The customer service reps have the keys to our digital lives, much like a bank teller for your bank. Banks are bonded with insurance to protect a bank against criminal acts carried out by employees. Some states require blanket bond coverage as a condition of operating a bank. Similarly, StopSIMCrime believes that mobile carriers should also be required by law to protect consumers and businesses against SIM crimes.
Once your carrier has given control of your mobile number to the criminal, they have complete control of your mobile service. So the hacker – and not you – will receive all calls and text messages to your phone number.
Verification Codes and Two Factor Identification
Many services such as banks, brokerages and social media services use text messaging to send you a verification code to confirm transactions like opening an account, withdrawing money or changing passwords. Your mobile phone is being used to authenticate the action. Sometimes you have already logged in to an account, but to make sure it’s really you, the bank or other service wants to authenticate you a second way, through a verification code to your phone number. This is called “Two Factor Identification”, also known as “2FA”.
In a typical SIM swap, the hacker convinces a customer service or store representative with access to your mobile phone account to activate the hacker’s SIM to your phone number. At each of the major mobile phone companies — such as AT&T and T-Mobile in the US, or Vodafone and O2 in Europe — there are tens of thousands of customer support and store representatives with access to your phone account. Many of these representatives are honest and follow the rules. Many, however, are susceptible to bribery or trickery by hackers, or simply do not adhere to their company’s internal rules. In a SIM crime, also known as a “fraudulent SIM swap”, the representative activates the hacker’s SIM to your phone number, giving the hacker control of your digital life.
Once the hacker controls your phone number, they can easily impersonate you with other service providers, such as with Gmail or other email providers, by using your phone number to change your password and then also taking control of your email. For example, they can go to gmail.com, type in your email and then click on “Forgot Password”. Then Google would send a text message verification code to your phone number – which the hacker receives instead of you. The hacker types the verification code into the Gmail password reset page, and voila, they are now in your email and will likely change your email password, locking you out.
Once the hacker has control of your phone (for text verifications) and your email (for email verifications), the hacker can quickly and easily go to your other accounts and change passwords and take control of the accounts at your banks, brokerages, cryptocurrency exchanges. They can take over your Facebook, Twitter and Instagram accounts also. Most services today use text or email to change a password, so once the hacker controls your phone, they can take control of your email and these other accounts.
Hackers prepare for their attack before calling the mobile carrier by collecting as much information about the victim as possible. Almost everyone’s basic information is readily available to the hackers – including your full name, telephone, address, social security number and more. This is because of the many and major data breaches over the last few years at companies like Yahoo, Equifax and Marriott, in which hundreds of millions of accounts were breached.
The hackers basically have their own database of all of our information.
Sim swap hackers target individuals who they want to attack, and they call up the mobile carrier. The mobile carriers all know about SIM swapping.
Once SIM criminals have gathered enough information on a target, they create a false identity. First, they call the victim’s cellphone provider and claim that his or her SIM card has been lost or damaged. Then, they ask the customer service representative activate a SIM card or number in their possession.
Mobile service providers are not supposed to acquiesce to those requests unless callers answers security questions, but SIM fraudsters come prepared, using the personal data they’ve collected from across the web to defeat the carrier’s security checks without raising any alarms.
Once they’ve gained unfettered access to a victim’s phone number, criminals target bank accounts.
The hacker can read your text messages and see who you are chatting with and what about. Many banks will send you a code to log into an account or reset a password to a mobile phone via SMS, which means an attacker committing SIM fraud can request and receive the code and access your bank.
Sometimes, SIM fraudsters mask money withdrawals using a parallel system. They create a second bank account under the victim’s name (banks where the victim is already a customer have fewer security checks). When the criminals execute a transfer between the two accounts, it appears to the bank’s computer system as though the victim is transferring funds between two parallel accounts.
Other times, the SIM criminals target a customer’s cryptocurrency exchange account. Those accounts can be even easier for the criminal because funds in those accounts are held either in cryptocurrency like Bitcoin and Ethereum – or in US dollars (in the US) or Euros (in Europe) or other local currency. If the hacker gets into your cryptocurrency account because of a fraudulent SIM swap, then they will literally just withdraw the maximum they can and send it to their own crypto accounts.
Stay in touch with us on
© 2018 StopSimCrime.org. All rights reserved