Home of internet privacy

What is SIM swapping, and how to avoid it

More and more services use your phone number to identify you, sometimes in addition to an email address, other times instead of one.

There are various reasons companies want to use your phone number for identification. It might help them prevent the creation of fake accounts, meanwhile allowing them to more easily target you with ads. But it can also put you in severe danger of SIM-swapping attacks.

[Want more security tips? Sign up for the ExpressVPN newsletter.]

In a SIM-swapping attack, a hacker uses social engineering techniques to persuade your mobile-phone company to issue a new SIM card and to reroute all calls and text messages to this new card.

Your phone will lose its signal, and you will not receive, for example, any fraud alert messages from your bank.

In another type of attack, a hacker fraudulently obtains access to a global system used for routing calls and messages, called SS7, to intercept and divert login codes. In this attack, you might not notice that you are a victim, as your phone will continue operating as usual.

Here are five steps to protect you from falling victim to this threat:

1. Don’t give online services your phone number

Online services shouldn’t need your phone number. They shouldn’t ask for any information they don’t need, and they shouldn’t put you at risk by keeping this information on file. In many cases you can opt out of submitting your phone number or skip this particular step. You can also choose another service or inquire why your phone number is necessary.

2. Use other forms of two-factor authentication

Don’t use your phone number for two-factor authentication (2FA). Instead, use authenticator apps or, even better, hardware security like the FIDO U2F standard.

These options will ensure that your access to your accounts is not dependent on your SIM card or phone. When your phone number is the sole method of identification (such as for your Whatsapp or Telegram account), don’t forget to set a secondary password to keep people out!

3. Use a prepaid SIM card

As long as your prepaid SIM card is not tied to a name or another form of identification (including credit card or ID number), it is close to impossible to be “swapped.”

Some services will only allow you to replace the SIM if you have the case the card came in, so be sure to keep it secure!

This will not, however, protect you from hackers diverting your SMS in another way.

4. Test your most vulnerable accounts

There may be some accounts that you aren’t able to unlink from your phone number, be it for legal or practical reasons.

To learn how you can protect yourself from SIM swapping, why not test how easy it is to take over your email, chat, or bank account with just your SIM card and some publicly available information, like your date of birth or full name.

Such a test will help you assess whether there are additional steps you can take to protect these accounts, like 2FA, or switching providers, for instance.

5. Put a lock on your phone account

Contact your phone company to find out what mechanisms are available to protect yourself from a SIM-swapping attack. Some providers will let you set a password for customer service, while others will require you to show up in-person to a store and identify yourself with your government ID.

Hopefully, in the near future, unsecured phone lines and unencrypted SMS will be a thing of the past, but for now they are difficult to escape.

Hackers will attempt to get hold of your bank account and social media accounts by diverting SMS and phone calls to their accounts. Protect yourself and lock down your accounts today!

Read more: Countries with SIM-card registration laws