If you think your smartphone is safe from SIM swapping attacks because it has no SIM card, think again. This can get a little hairy so I’ll start with the basics of SIM cards, explain how they’ve been exploited, how eSIM replaced SIM and finally how eSIM can be exploited. If you don’t want the history lesson, you can just skip to “What you can do” below.
What is a SIM card?
Until recently and going back to the earliest cellular technologies, mobile phones have contained a small card containing a computer chip known as a Subscriber Identity Module or SIM card. This card stores contacts, text messages and information about your account. Most importantly it contains a code that identifies your phone to the carrier. By storing this important information on a removeable card, upgrading your phone is as simple as pulling this card from the old phone and inserting it into the new phone. There’s a little more to it than that, but simply transferring this card gives the new phone the ability to make and receive phone calls and text messages through the same account as the original phone.
How this affects you
Convenience comes with risk. If someone were to steal your SIM card they would be able to receive and make phone calls, and also receive and send text messages using your account and phone number. Armed with that and your contact list, you could imagine the havoc someone could wreak. What you might not consider, however, is all the important websites that you’ve set up with multifactor authentication (MFA). If you’ve set them up to text you a code when logging in, someone who steals your SIM can receive those codes and get into your accounts.
To deter SIM Swapping, and eliminate some other limitations, Embedded SIM or eSIM was created. Most newer phones use eSIM. Rather than storing this sensitive information on a removable card, it is securely stored internally. The process of transferring the information to a new phone is done electronically using secure mechanisms. Well, like anything that’s secure, vulnerabilities can be found and exploited, and information can be stolen. And since no physical card transfer needs to be made, it can be done completely remotely, even while your phone is in your pocket.
Some attacks are performed by getting into the phone owner’s online account. Some carriers make it easy for you to transfer your account to a new phone online. But surprisingly, many of these thefts are done by the carriers’ representatives through social engineering scams. A smooth-talking con artist impersonating you convinces the representative to transfer the SIM to their phone. There are also recent cases of phone store representatives doing SIM swapping maliciously for money.
What you can do
For starters, you’ll want to maintain tight control of your wireless online account. As with everything else, a strong, unique password is a good idea. If your carrier provides multifactor authentication for accessing that site, you’ll definitely want to make use of that as well. As for carrier representatives being conned or compromised, there’s nothing you can do about that. But you can protect your MFA for other sites you access.
If you’re using your phone as MFA for other sites, those sites may give you a choice between SMS (text messaging) or use of an Authenticator app. If given the choice, always select the latter. If you use an authenticator you won’t have to worry about a SIM-stealer getting your code in a text. An authenticator app does not use SMS so it’s not vulnerable to these attacks. There are several free authenticators from Microsoft, Google, and others. Any one of them from a reputable company is better than using SMS. MFA in any form is by no means 100% safe or unhackable, but if you follow this recommendation you’re still better off than having no MFA at all.