Technological progress has provided global access to products and services, unlike any other tool in human history. All tools, however simple or complex, can potentially be used for nefarious purposes. While technology is undoubtedly a beautiful thing, it connects humans in ways that didn’t exist 20 or more years ago; our various interconnected devices are also potential channels for hackers.
The IoT devices we use daily are convenient for us, and that convenience can also be a pathway for those looking to benefit from stealing our personal and business information. Indeed, according to a Clark School study at the University of Maryland, the approximate rate of cyberattacks is, one cyber attack occurs every 39 seconds.
Indeed, precautions can be taken, and having a secure password and firewall can help; however, just like our security software, hackers evolve. One of the growing threats to cybersecurity in IoT is sim-jacking or sim-swapping.
SIM-Jacking
What is a SIM card?
SIM stands for subscriber identity module, and it’s a small chip most commonly used in phones and many other connected devices. It’s integral to most modern phones, as it allows us to make calls and stream data on the go. SIMs can also be found within most computers, internet-connected routers, smartwatches, as well as cameras and telematics devices.
The SIM chip is used to authenticate subscribers of specific cellular service providers and store-specific contact information. Each SIM has a unique serial number, the subscriber’s identity number, security authentication information, as well as temporary local network information. It contains a list of services the subscriber can access.
Unfortunately, SIM cards contain personal information that’s undeniably dangerous to lose. However, SIM cards seem pretty secure; after all, they have two passwords. So why should you be worried about your SIM card?
What is SIM-Jacking?
In layman’s terms, SIM-jacking is essentially taking control of someone’s phone number, and tricking a carrier into transferring it to a new phone. Thieves usually manage to gain control of your number by fooling or bribing someone who works for the carrier or contacting the carrier and stating the subscriber’s personal information, which thieves can come by in multiple ways.
In fact, in 2017, hackers managed to find a bug revealing confidential information on just about any T-Mobile customer. Another quite recent example of this tactic was showcased when a group of hackers managed to SIM swap the CEO of Twitter’s personal account. They used their access to send out tweets on his page and promote their discord server.
In this specific incident, the hacker group took advantage of a flaw within Twitter’s text-to-tweet service, whereby a user can post a tweet by texting a message to a shortcode number. While this makes it convenient to post to your account, it’s also quite insecure, as all you need to gain access to the account is control of the user’s phone number.
How common is SIM-Jacking
While the twitter incident was mostly a prank, SIM Jacking/Swapping is common. In fact, in 2017, hackers made a tutorial on how to exploit T-Mobile’s information disclosure function. An individual could gain a customer’s email address, billing account numbers, and the phone IMSI (international mobile subscriber identity) number. Having the phone’s IMSI number and some personal information helps the hacker convince your carrier that they are you. After that, your number is changed to one the hacker controls and it’s off to the races.
Sim-jacking is usually used to steal cryptocurrency, or gain access to high-value accounts to send malware to followers. But it can also be used to steal your identity, and, in some examples, to steal money from your bank account.
Ellis Pinsky of New York was accused of using SIM swaps to steal approximately 71.4 million dollars in cryptocurrency. On May 13, 2019, AT&T contractors and a Verizon employee were charged with being involved in assisting with SIM swapping by giving hackers their customers’ personal information for money.
SIM-jacking is popular because this method can be used to bypass traditional two-factor authentication. Once they control the number of records, a request for SIM-jacking is also popular due to the technique being less complicated compared to other methods of cybercrime – it can be done without any hacking at all, just convincing someone to change a phone number. Because carrier employees have to perform SIM swaps as part of their jobs, it’s straightforward to bribe or trick an employee into transferring the number.
What’s at risk from SIM-Jacking
Because this method involves taking control of your mobile number and is used to bypass two-factor authentication, any account connected to your phone number is at risk. Commonly, once your number has been SIM swapped, the hacker may attempt to use it to change the passwords of your accounts, and gain access to anything from your email, to your bank account, and cryptocurrency trading apps.
So, SIM-jacking is a dangerously uncomplicated method, in which a hacker can gain control of all of your accounts within minutes. It’s pretty scary, so what precautions can we take to protect ourselves?
How to Avoid SIM-Jacking
Realistically, there’s isn’t much you can do to stop SIM-jacking if you’re dealing with a seasoned SIM swapper, other than maybe notice the switch as it’s happening. Many of the reasons SIM-jacking works are out of your control. Your carrier has your personal information, and the service carriers have to perform SIM swaps as part of their job.
It’s just too easy to impersonate, and in some cases, hackers have even recruited people to provide them with SIM swaps. But you are not helpless to the follow-on effects. There are a few steps you can take to make it difficult for someone to steal your identity without you noticing. These steps can decrease the results to a minor annoyance.
PIN
Every major US cell phone service carrier offers the option of a passcode on an account. It’s highly recommended you use it. While it may still be possible to obtain the PIN from the inside, the more steps you make the attacker take, the more likely they are to move on. Ask your carrier how to set a pin, or look up the instructions online.
Two-Factor Authentication
Most two-factor authentication codes work via text message. While this is certainly convenient, it’s not very safe. It’s recommended that you use better two-factor authentication software such as an Authenticator (Google, Microsoft, etc.), email, or DuoMobile. Instead of tying your personal information to a number, the software associates your information for a specific device. In other words, your physical phone, and only your phone can access your personal information.
Awareness
Using your phone as a second factor in two-factor authentication (say for websites) does put you at higher risk for hacker infiltration. So, that’s a hazard to consider when you’re setting up your authentication protocols.
Possibly the best way to prevent yourself from being SIM Jacked is being aware of what is connected to your number. It can be quite a time consuming to go through all your accounts, as some apps require your phone number; however, being conscious about what’s connected to your accounts and being mindful of what you connect to your phone can make a big difference.
SIM Jacking and the IoT
Although the above advice works well for individual devices like cellphones, IoT solutions with multiple cellularly-connected edge devices might want to add an extra layer of security, and even more so in sensitive use cases. An IoT management platform like Sentinel adds extra security into the mix, adding a next-gen firewall (NGFW) between your devices and the public internet. And should one of your devices somehow fall victim to SIM jacking, you'll see that right away in Sentinel -- allowing you to take appropriate action. Want to learn more about Sentinel and its security features? Check this out: