The IoT devices we use daily offer us convenience and efficiency, but they can also be access points for those looking to benefit from stealing our personal and business information. Indeed, according to a Clark School study at the University of Maryland, one cyber attack occurs every 39 seconds.
Despite the precautions we can take, such as having a secure password, firewall, and security system, hackers evolve. One of the growing threats to cybersecurity in IoT is sim-jacking or sim-swapping.
What is a SIM card?
A SIM (subscriber identity module) card is a small chip most commonly used in phones and many other connected devices. SIMs are integral to most modern phones, as they allows us to make calls and stream data on the go, and can also be found within most computers, Internet-connected routers, smartwatches, cameras, and telematics devices.
The SIM chip is used to authenticate subscribers of specific cellular service providers and store-specific contact information. Each SIM has a unique serial number, the subscriber’s identity number, security authentication information, as well as temporary local network information. It contains a list of services the subscriber can access.
This personal information stored on your SIM card is undeniably dangerous to lose. It is vital to understand the security issues that may infiltrate your SIM card – and to know how to prevent them.
What is SIM-Jacking?
In layman’s terms, SIM-jacking happens when a nefarious actor gains control of someone’s phone number and tricks a carrier into transferring it to a new phone. Thieves usually manage to seize control of your number by fooling or bribing someone who works for the carrier, or through contacting the carrier and giving them a subscriber’s personal information they been able to obtain.
As an example of these attacks, in 2017, hackers managed to find a bug revealing confidential information on just about any T-Mobile customer. Another recent example of this tactic was showcased when a group of hackers managed to SIM swap the CEO of Twitter’s personal account. They used their access to send out offensive tweets on his page and promote their Discord server.
In this specific incident, the hacker group took advantage of a flaw within Twitter’s text-to-tweet service whereby a user can post a tweet by texting a message to a shortcode number. While this makes it convenient to post to your account, it is also quite an insecure system, as all one needs in order to to gain access to an account is control of the user’s phone number.
How Common is SIM-Jacking?
While the Twitter incident was mostly a prank, SIM jacking/swapping is common and can be harmful. SIM-jacking is usually used to steal cryptocurrency or gain access to high-value accounts to send malware to followers. But can also be used to steal your identity, and, in some cases, to steal money from your bank account.
SIM-jacking is also popular due to the technique being less complicated compared to other methods of cybercrime – it can be done without any hacking at all, simply using social engineering attacks to convince someone to change a phone number. Because carrier employees have to perform SIM swaps as part of their jobs, it can be straightforward to bribe or trick an employee into transferring the number.
What is at Risk from SIM-Jacking?
Because this method involves taking control of your mobile number and is used to bypass two-factor authentication, any account connected to your phone number is at risk. Commonly, once your number has been SIM swapped, the hacker may attempt to use it to change the passwords of your accounts. This access gives them any personal information you store on those accounts, from your email to your bank account and cryptocurrency trading apps.
So, SIM-jacking is a dangerously uncomplicated method allowing a hacker to gain control of all of your accounts within minutes.
Now that we’ve talked about the threat, what precautions can we take to protect ourselves from SIM-jacking?
How to Avoid SIM-Jacking
Realistically, there isn’t much you can do to stop SIM-jacking if you’re dealing with a seasoned SIM swapper, other than maybe notice the switch as it’s happening. Many of the reasons SIM-jacking works are out of your control. Your carrier has your personal information, and the service carriers have to perform SIM swaps as part of their job. It’s just too easy to impersonate, and in some cases, hackers have even recruited people to provide them with SIM swaps.
Still, you are not completely subject to hackers’ whims. There are a few steps, which we discuss below, that you can take to make it difficult for someone to steal your identity without your notice. These steps can deescalate a SIM-jacking attempt from a devastating blow to a minor annoyance.
Every major US cell phone service carrier offers the option of a passcode on an account. It’s highly recommended you use it. While it may still be possible to obtain the PIN from inside, the more steps you force the attacker to take to gain entry into your account, the more likely they are to move on. Ask your carrier how to set a PIN, or look up the instructions online.
Most two-factor authentication codes work via text message. While this is certainly convenient, it is not very secure. It’s recommended that you use stronger two-factor authentication software, such as an Authenticator (Google, Microsoft, etc.) email or DuoMobile. Instead of tying your personal information to a number, the software associates your information with a specific device. In other words, only your physical phone may be used to access your personal information.
Using your phone as a second factor in two-factor authentication (say for websites) does put you at higher risk for hacker infiltration. This is a hazard to consider when you’re setting up your authentication protocols.
Possibly the best way to prevent yourself from being SIM-jacked is being aware of what is connected to your number. It can be time-consuming to go through all your accounts, as some apps require your phone number; however, being conscious about what’s connected to your accounts and being mindful of what you connect to your phone can make a big difference.
Work with a Trusted Partner
We get it – securing your devices and SIM cards can seem daunting. When you work with an IoT managed services provider like Kajeet, you can rest assured that you are protected from potential security threats. All SIM cards within Kajeet solutions are paired with a carrier-specific APN, making it virtually impossible for hackers to infiltrate (and rendering students’ attempts to transplant SIM cards from Kajeet education solutions into other devices useless).
If you are interested in partnering with Kajeet to create secure, reliable connectivity solutions, contact us and one of our experienced Solutions Engineers will reach out to you.