Identity theft and identity fraud are on the rise and oftentimes fraudsters will override your privacy rights by gaining control of your cell phone and stealing the valuable information in it. The fraudsters can gain access to your emails, text messages, contacts’ information and payment apps just by knowing your phone number and the use of social engineering. Social engineering is used to obtain your passwords, which apps you're using for banking, and intimate knowledge of your life to answer the security questions posed by a lot of these sites/apps. In 2019, there were 19 reports to the Edmonton Police Service of Phone Number Ported/SIM Card Scam with an overall loss of $85,058.94.
The SIM card contains a variety of information designed to allow the device to securely and reliably connect with networks and your contacts, but also has ways that make you vulnerable. Your cellular carrier does maintain records of your information and activities, which - in theory - can be hacked and your information stolen.
A SIM Card does not contain:
- Highly personal and sensitive information like pictures and videos.
- Your home address, your bank account number, your doctor's name, or other details unless you specifically write those details in a text (SMS) message or specify those details in your contact lists.
A SIM Card does contain:
- Your text messages. Each cellular carrier has different retention periods and they are moving away from saving text (SMS) messages on SIM cards.
- Your phone contacts with the related information like names and numbers, and history of calls, including dates and times.
- Certain cellar carriers state that application transfer over.
- The last location of the phone, which is often useful in locating missing people.
Your cellular carrier has the ability to remotely transfer the information on your SIM card to another SIM card this is not a default option. In order to make it happen your cellular carrier needs the following:
- Your phone number;
- Phone information;
- Cellular carrier account information;
- The password for your account.
This information can be attained by a fraudster by:
- Sending a fraudulent text pretending to be your cellular carrier then asking you to confirm your account information by entering it into a hyperlinked text field. They can also request account numbers, verifying details, passwords, or PIN's to be replied by text.
- Sending a fraudulent email pretending to be your cellular carrier then asking you to confirm your account information by entering it into an attached document or a hyperlinked document in the email.
- Installing malware or a key logger on your phone that is hidden in an attachment or a hyperlink sent to you in a text or email. However a keylogger is very difficult to install on any modern phone and would usually require physical access to the phone at some point
- Phoning you and pretending to be a customer service representative from your cellular carrier and asking you to confirm your account information over the phone.
- Looking through the internet and your social media accounts to find your address, birth date and other personal information.
How do they conduct a SIM swap?
Once the fraudster has your phone number and some personal information, they contact your cellular carrier and request a transfer of service from an old phone to a new one. The fraudster then makes up a convincing story about losing or damaging a phone, and then they make it seem plausible by providing the personal information they were able to obtain. When convinced, the cellular carrier may move the phone number to a new device that the fraudster now has can access the phone number only for a very short amount of time. Once the person phones their provider and asks why they don't have service, the switch will be picked up and dealt with by the carriers.
With the victims phone number now on the fraudsters phone, the fraudster can now reset the passwords on every account that uses the phone number for auto recovery, but only if they have your username, account number or client number. When financial institutions see a red flag in spending habits they may call the customer’s phone number or send a text message. However, the call and/or text may go to the fraudster because they have taken over the victim’s phone number.
Signs of a swap
- If your phone receives “no signal” or says, “Emergency calls only,” even after restarting the phone, then use another phone to call your provider and have them check the status immediately
- You will still be able to use your apps as they work off Wi-Fi, so try logging into them to ensure they haven’t been hacked into.
- Contact your financial institutions right away to alert them of suspicious activity and tell them that your cell phone number has been compromised. Financial institutions are aware of the increase in identity fraud and the evolving methods used by fraudsters to steal your money. They make it a practice to monitor clients’ accounts for suspicious activity and will lock down or freeze the clients’ accounts until they attend a local branch and speak to a customer representative.
Tips on how to help prevent phone takeovers
- Mobile phone carriers are aware of this crime and are taking steps to ensure that their customers are taken care of. Most mobile phone carriers now request customers to create a PIN. Whenever a customer contacts the service provider, the PIN is requested. If you think you do not have a PIN, call your cell phone provider and make sure you didn’t opt to disable it when you signed up.
- Do not publish your phone number on your public profile on social media
- Review your credit card bills, bank statements and phone bills. If something doesn’t add up, report it immediately.
- Do not use the same usernames and passwords across several websites. Make your passwords long, complicated, and difficult to guess.
General tips to keep your device safe:
- Password-protect your device. All devices can be locked with a password or even your thumbprint. It's an easy setting that can protect all of your information if your device is lost or stolen. Be sure to enable your password auto-lock setting so it locks after a short period of inactivity.
- Use unique passwords. Avoid repeating the same password or using a similar pattern on different passwords. If the fraudster knows one of your passwords then they will figure out the rest.
- Use 2-Factor Authentication App. An app like Google Authenticator is tied to a specific device rather than a phone number which can be transferred. This is a rolling password to go along with one that you know creating a more secure logon.
- Free apps can access your contacts and other areas of your device. Some apps request access to your different areas of your phone. Read the warnings or use apps by reputable well known developers.
- Avoid connecting to unknown or non-password protected Wi-Fi networks. Free Wi-Fi is great, but unsecured wireless networks can compromise your information!
- Don't store EVERYTHING on your device. Remove items that are not crucial so if it's lost or stolen, that information doesn't end up in the wrong hands. For example, don't keep your banking information, passwords, etc. on your phone.
- Read before you install. Understand what information an app could access and share from your device, before you download.
- Disable the geo-tagging setting on your device (Location Setting). Smartphones and tablets can automatically attach the exact location you updated your social media profiles, and can see where you took a photo. This setting can provide your location to anyone who has access to your profiles.
- Update your software when it becomes available. Downloading the latest mobile security software and operating system can protect you against viruses, malware and other technology threats.