Your smartphone is the new target for fraudsters
How to protect yourself (and your accounts) from a “SIM swap.”
February 28, 2019 7 min read
Protecting your various accounts from fraudsters and hackers is a necessity in an increasingly digital world. Complex passwords and password managers can help, but fraudsters are constantly developing new ways to steal your personal information. And one of the newest ways involves your smartphone’s SIM card.
What is a SIM card?
Your SIM card is a small chip inside your phone that identifies you as the phone’s owner. It contains unique information that allows the device to communicate with the mobile network, and it tells your carrier that the phone belongs to you.
Essentially, the SIM card is what makes your phone a phone, and not just a glorified media device. Without the SIM card, the device would still work, but you wouldn’t be able to make phone calls, send or receive text messages, or connect to your carrier’s data network.
Why your SIM card puts you at risk
Recently, a security control called two-factor authentication (sometimes shortened to 2FA) became the standard for safeguarding personal data. It typically works like this:
- You sign in to an account with your username and password.
- A text message with a one-time passcode is sent to your cellphone.
- You enter that code into your account to complete sign-in.
Your SIM card is what allows two-factor authentication to work with your cellphone, because it ties you to your device. This process verifies that your login attempt is authentic by adding a second security check—connected to the device in your pocket.
This was once considered the safest method of fraud protection. And it’s often safer than email verification because, in reality, a large percentage of people still use the same passwords across multiple accounts.
The problem? Now that two-factor authentication commonly relies on cellphones, your phone number is a prime target for fraudsters.
How fraudsters steal your phone number: The “SIM swap”
Fraudsters attempting a SIM swap call your phone carrier, pretending to be you. They tell customer service that their phone was lost or damaged, and that they need the number associated with your SIM card transferred to a different SIM card—one in their possession.
Wondering how a fraudster convinces someone they’re you? Ask yourself this: How hard is it to find your birthday on the internet right now? Or your phone number? Or even your home address? And how much information are you voluntarily sharing on social media?
If they’re able to convince customer service they’re you, your number is transferred. It’s now linked to their device, not yours. You’ll stop receiving calls and texts, but other elements of your phone will still work. If you’re on Wi-Fi, you can still browse the internet—which might increase the time it takes to notice your phone is no longer connected to the mobile network.
And how they access your online accounts
Once the fraudster has access to your phone number, they can target your bank, credit card or any other account that may send a security code by text message during two-factor authentication. When they try to sign in to your account, the code is sent as a text to their device, not yours.
Once the fraudster passes two-factor authentication and signs in, they have full access to your account—meaning they can transfer a balance or order a new credit card.
While your credit card company or bank may take care of the fraudulent charges, you’ll still need to deal with the hassles and anxiety of reporting the fraud, getting new cards, and wondering whether other accounts are compromised.
4 steps to protect yourself from a SIM swap
SIM swapping is a serious concern, so taking the time to add extra security to your accounts is important. You can protect yourself with these simple steps:
- Set a passcode with your carrier. Fraudsters can’t use your (potentially compromised) personal information to verify your identity if they also need a passcode. Doing this is usually free and a no-brainer.
- Use other two-factor authentication options tied to your device. Not all two-factor authentication options rely on your phone number. For example, downloading the Capital One® Mobile app gives you the option to pass two-factor authentication simply by logging in.
- Contact your carrier if your phone stops receiving calls. This could be a sign of a SIM swap, so call your carrier as soon as possible. Also, check your financial accounts to make sure nothing has been compromised.
- Learn about unauthorized charge coverage provided by your financial institutions. Many of them will work with you to resolve your claims or offer some sort of fraud liability guarantee. For example, Capital One offers $0 liability for unauthorized charges—so if your credit card or credit card number is lost or stolen, you won’t be on the hook for fraudulent charges.*
A SIM swap is a real threat to your financial life, but you can help protect yourself if you follow the steps outlined above. By taking a few simple measures, you can do your part to stop fraudsters in their tracks.