Skip to content

SIM Swap: The Gateway Hack

Telesign Team September 17, 2019
SIM Swap is a gateway hack

Telesign to offer SIM Swap protection in US, Canada, UK, Nigeria, South Africa, France and Australia

You’ve probably heard of the term ‘Ô’gateway drug.’ It’s a piece of escalation theory that states that someone who tries alcohol, tobacco or some other minor drug will sooner or later be addicted to crack. It’s generally used as a scare tactic. Plenty of people drink socially and never progress their hedonistic ways beyond that. Similarly, in criminal justice there are certain advocates for harsh penalties for something small like shoplifting, because shoplifting will invariably lead to homicide if it is not corrected right away. There are fallacies in each of these arguments. But when we discuss cybersecurity one thing is certain, a SIM Swap is the beginning of a chain that causes absolute carnage for a bevy of stakeholders. Let’s examine.

What is SIM Swap?

We’ve been banging the drum for SIM Swap for a long time over here at Telesign but let’s do the quick CliffsNotes version one more time.

A SIM Swap is an unauthorized number porting. More often than not a SIM Swap attack occurs with some social engineering that exploits a hole in security and either an overeager customer service worker or a mole within a telco.

An example:

A fraudster will call your cell phone provider pretending to be you. They will have some sort of sob story about how they need to port their number over to a new device and forgot all of their passwords. But ‘Hey, here is my birthdate!’ (They could have stolen a piece of mail or checked out your social media pages.) After the fraudster rattles off enough true facts the customer service rep infers that they are indeed you and dutifully ports over the number.

That’s it. That is the end of the attack. But unless the fraudster is your ex-girlfriend trying to spy on your incoming texts, the situation is going to get much, much worse.

See now that the fraudster has access to your phone and all incoming messages they can go through all of your accounts and set off account recovery sequences. Many of these sequences involve a password reset that operates through multi-factor authentication one time passcodes, in a mere matter of minutes they have unlocked all of your accounts and are now free to unload their reign of terror.

So, what happens next?

I told you that SIM Swap was a gateway hack, well in this metaphor the crack is account take over. What does this fraudster do when they have access to all of your accounts? Whatever the F*@# they want! Drain your crypto? Check. Bank Accounts? Gone. Delete your social media and e-mail accounts just to mess with you? Sure, why not. And if this all happened in the middle of the day you might notice some strange things. Your phone may inform you that your SIM card is missing, you may get some push notifications that your e-mail password is incorrect, but the fraudster knows all of this so he does it while you are asleep.

Nothing like waking up in the morning just to find out you’ve been defrauded out of six figures! This is just an account takeover scenario though. They have your phone number, they could attempt phishing schemes, reaching out to your loved ones. They could go through your personal information looking for any information to blackmail you with. Hope you’ve been living clean!

However, account takeover is the most likely outcome. This creates a tremendous amount of problems for banks, merchants and of course, users. While users’ personal liability has ranged around $2 billion dollars annually, banks and merchants are also on the hook for failing to protect their customers. It’s a giant mess for everyone involved. Fortunately there are remedies.

How can it be stopped?

Like any health professional (I consider myself a professional in cyber health) I recommend preventative medicine. Telesign offers preventative SIM Swap solutions that keep your users safe by informing a platform the last time a number was ported. For example, if you knew that a number was ported in the minutes leading up to a user attempting to empty their bank account, you might find that suspicious, yes? I would hope so, that or your business needs some serious fraud training. Additionally, our engineers and product team are diligently working on expanding our current service area. By the end of 2019 Telesign will be able to protect against SIM Swap in the US, Canada, UK, Nigeria, South Africa, France and Australia. Hooray innovation!

This is just one strategy to protect against SIM Swap attacks. There are other ways, better personal security hygiene, more judicious customer service representatives. But your business can only manage what you control. By protecting your user, you can avoid liability and rest easy knowing you are taking steps to make your platform a more secure environment. You can know that you are not directly contributing to the drug…er, hacking problem in America.

This site is registered on as a development site.