1. Home
  2. Techniques
  3. Mobile
  4. SIM Card Swap

SIM Card Swap

An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.[1][2] The adversary could then obtain SMS messages or hijack phone calls intended for someone else.[3]

One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.[4][5][6][7]

ID: T1451
Sub-techniques:  No sub-techniques
Tactic Type: Without Adversary Device Access
Tactic: Network Effects
Platforms: Android, iOS
MTC ID: STA-22
Contributors: Karim Hasanen, @_karimhasanen
Version: 1.2
Created: 25 October 2017
Last Modified: 30 September 2021

Mitigations

ID Mitigation Description
M1011 User Guidance

Users should be instructed to use forms of multifactor authentication not subject to being intercepted by a SIM card swap, where possible. More secure methods include application-based one-time passcodes (such as Google Authenticator), hardware tokens, and biometrics.

References

  1. New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016.
  2. Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018.
  3. Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016.
  4. Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016.
  1. Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018.
  2. Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account. Retrieved November 8, 2018.
  3. John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018.