It is no secret to anyone that our phones have become an extension of who we are, they have turned us into cyborgs and are used to validate whether we are the ones who are entering a service or making a specific transaction through Verification of 2 Steps : those text messages with the transaction codes that many services still send to their users’ phones to validate their identity.
That is why SIM Swapping or SIM Card Cloning (although the name is wrong because nothing is cloned) continues to grow and is consolidated as one of the main computer crimes.
What is SIM Swapping and how Does it Work?
SIM Swapping is nothing more than a fraudulent act by means of which a criminal changes the SIM associated with a telephone number without its owner being aware of it. Thus, the calls and messages that arrive at said number are no longer received by the owner of the line but by the criminal.
And although the name in Spanish would seem to indicate that there was a technical cloning process, SIM card manufacturers like Gemalto have had protection mechanisms for years that largely prevent such a process. Today, the process is one of change (not cloning and therefore “swapping”), it is simpler and requires only a little research and a couple of calls.
Let’s Talk about The Social Engineering Component:
The first thing the offender needs is information from the victim. Information that you collect from Google, Facebook, Twitter, TikTok, Tinder, how much survey you give up you answer by telling the school you graduated from, the name of your dog, etc., etc., or that can be secretly collected for some malicious code that he installed on his devices derived from a file he received via email, a download from a web page or via WhatsApp.
With this information, criminals communicate with your mobile operator, impersonate you, and get them to reissue a SIM associated with your number.
And now, with control over the phone line and your information, criminals can impersonate you to request password changes for emails or accounts, make transfers, or even contact family and friends and trick them by asking for money. emergency for some fictitious situation that they invent (as happened to the mother of my friend Mauricio, who influenced me to write this article).
How do We Protect Ourselves?
There are 7 basic steps you must follow to protect yourself (although nothing will be 100% foolproof):
- Stop using insecure or leaked keys in some massive data leak. And stop reusing them as a service and application you have / use. It is time to use a password manager , like iCloud KeyChain (if you are an Apple user), 1Password or LastPass.
- Don’t share so much information (online, over the phone, etc., etc.). Or better yet, validate who you are sharing your information with before doing so.
- Be careful with what you download to your devices.
That ppt with the most beautiful landscapes in the world, that pdf file that DIAN sent him because he has not paid his taxes or the Ministry of Traffic because he committed an infraction, that link to the game that is worth money but is free from it, the audio of the Pope with the blessing of the sacred robe may actually be a file with malware that can steal your information.
- Opt for secure 2-Factor Authentication mechanisms .
Apple, GMail, Facebook, Instagram, even banks such as Bancolombia have already migrated from verification via SMS to Verification models of 2 secure factors , based on an application that must be previously registered and that is associated with a specific device (and not with the phone line of the same).
- Activate notifications of access from new devices to your accounts. Most email and social media providers already offer it.
- Validate, before accepting a new contact in your social networks, if you already have it as a contact and if it really corresponds to the person it claims to be. A newly opened profile, without photos or information or duplicate is, generally, a fraudulent profile used to obtain information from contacts.
- Remember to validate if the person you are talking to (or chatting with) is actually that person. Is it the bank official? Is it your friend or cousin that you haven’t seen in years?
Remember that your information is the most precious asset you have today and that criminals are after it because with it they can do wonders.