Stolen mobile phone number How to defend yourself from criminals

A new type of fraud based on stealing mobile phone numbers through SIM swapping is gaining momentum, called “SIM swapping.” Beware of those who use SMS as a second means of verifying access to online accounts. Are there alternative solutions? What are the signs that your cell phone number has been stolen? Let's try to answer these and other questions.

The smartphone has become a very powerful medium not only from a hardware point of view but also in terms of attractiveness in the eyes of criminals because it contains a lot of information and personal data. However, if they cannot make people victims simply by stealing their smartphones thanks to increasingly advanced unlocking systems, such as those based on biometric recognition, then we should worry about… New SIM swap scamsfrom English”SIM swap“s”SIM swap'. It occurs when an attacker steals another person's phone number without their knowledge with the goal of using it to try to access emails, bank accounts, social profiles, and other online accounts.

Because a stolen mobile phone number can pose a risk to online accounts

An attacker can Go by trial and error Because even by stealing a phone number, there is no guarantee that he will then be able to access his victim's online accounts. This depends on the type of protection you have enabled in the online accounts you are registered with. Perhaps the most important account is the email account. It is likely, in fact, that the attacker would only need to be able to access his victim's emails so that he could then access all online accounts registered with that email. like?
Simply by ordering Change the password for the accounts you wish to access using the password recovery tool provided by all websites that offer user account management. It then depends on the security level that the individual website has activated to allow the password to be changed. However, most sites send an email to the registered address with a link to create a new address without taking additional security measures.

This is where it comes in Two-factor authentication. Suppose an attacker manages to obtain the username and password combination of his victim's email account. If the owner does not set up a second verification method, the attacker will have free access to their emails. However, if the email service allows double-check authentication and the user enables it, the attacker still cannot access emails. However, if a user sets up a code sent via SMS to their phone number as a second method of verification, SIM swap fraud could allow an attacker to access emails.

Two-factor authentication is important for online security but it is best not to use the “SMS” option.

We have already talked on more than one occasion about how two-factor authentication works. In short, remember that it blocks access to the account it is set to once you enter the username and password. Beside that Second verification required, which depends on the option chosen by the user at the time of configuration. The second most common verification step involves Send a unique code to the user's phone number.
The code is sent after passing the first verification method (combination of username and password). If you do not enter this code, you will not be granted access to your account. However, if the attacker manages to steal his victim's phone number, he receives an SMS containing the code and can thus access the account freely. And so on for all accounts that have SMS set as the second verification method. For example, many bank accounts use SMS as a means of verification: an attacker can thus gain access to the victim's bank account.

But would it be easy to steal a phone number?

The data that an operator must request from a person requesting a new SIM card while retaining the phone number of a stolen or lost SIM card may vary by country. In Italy, to restore the same number on a new SIM card, you can go to your operator's store with the applicant's identity document, the tax code of the owner (or of the legal person holding the contract) and a copy of the declaration issued by the competent authority in case of theft or loss. Vodafone also clarifies that a SIM replacement cannot be requested through authorization.
All of this means that if a store employee does their job right, they won't be able to help an attacker steal their victim's phone number by pretending to be the owner of the number. Even if it is just a request to transfer the number from SIM and eSIM, for example, the store owner should always ask for an identity document and not rely solely on written or verbally provided data.

Tips on how to prevent your phone number from being stolen

It is recommended to avoid becoming a victim of SIM swap Avoid entering your phone number online if it is not needed. When you create an account, even on a trusted website, the advice is not to enter the phone number if it is not mandatory, and only enter the data strictly necessary to complete the registration. This way, if hackers breach a website, they can at most access the name, surname and email address, not even the mobile phone number.
Then pay attention to Phishing: Don't trust suspicious emails asking you to “click here” to update your account or email details. You may end up on a site that invites you to leave your data and it will then be stolen. A typical example of phishing is emails informing you that a fake package is in stock with an invitation to leave your personal data for delivery. If you're waiting for a package for an online purchase, it's best to rely exclusively on the tracking code provided by the e-commerce site after shipping.

Another useful tip is Avoid setting sending a code via SMS as a second method for two-step authentication, if it was possible. More and more websites that allow you to set up two-factor authentication allow you to set it up as a second verification method Authentication application (Come Google Authenticator s Microsoft Authenticator) by sending a verification code to the application configured on your smartphone or other device. Rarely, some websites allow you to set a file physical security symbol, With a verification code that can be accessed from a device owned by the user (there are different types). By configuring one of these two methods, the attacker cannot access the account even if he steals his victim's mobile phone number.

To summarize: advice in a nutshell

In short, holders of online accounts that allow two-factor authentication are advised to enable this powerful security tool. However, those who already have online accounts with this two-step verification method enabled are advised to check the combination of the second authentication method and, if it involves sending a code via SMS, it is better to change it with another code from among those available (preferably Authentication application s Security code).

It is no coincidence that in 2023, Twitter announced its decision to disable the method based on sending a temporary code via SMS for two-step authentication to ensure greater account protection. In 2016, Google added a notification-based verification method that it can send to other devices linked to the same account. In 2017, Facebook introduced support for security keys as a second method of verification. However, here we explain how to enable double verification authentication on Instagram. Amazon has been offering two-factor authentication since 2015.

For more information about the SIM swap attack and more tips on how to prevent unpleasant consequences when your mobile phone number is stolen, we invite you to read the in-depth analysis dedicated by Kaspersky Security: www.kaspersky.it/resource-center/threats/sim-swapping