Redazione RHC : 19 July 2025 09:43
These days, smartphones are in practically everyone’s pockets.
We use them for entertainment, sending messages, storing notes, taking photos, transferring money, and even “making phone calls,” which is what they were originally designed for.
Our phones have become an essential addition to our lives.
If you’ve ever physically lost your phone, you know that desperate feeling of checking all your pockets and bags and fearing…“Will someone be able to see my things?”
But a phone can be stolen, besides “physically,” in another way, through the phenomenon of SIM Swap.
SIM swapping, also called SIM jacking or SIM hijacking, is a form of identity theft in which a criminal steals your mobile number and assigns it to a new SIM card. It is then possible to insert the new SIM (effectively with your identity associated with your mobile apps) into a different phone to access accounts and impersonate the scammed person.
A SIM, for those who don’t know, is a subscriber identity module and is the small card with a removable chip used in a mobile phone. Each SIM card is unique and associated with a mobile account. You can remove it from your phone and insert it into another, and your phone number and account information will travel with it.
A SIM swap attack begins when someone impersonating you contacts your mobile operator, claiming to have a broken SIM.
In reality, this can actually happen when your SIM card is lost, broken, or you accidentally sold it along with your smartphone.
Most likely, your mobile operator will require some identity verification, such as your account PIN or security questions that You have set the last four digits of your Social Security number.
Once the criminal has convinced the mobile carrier’s customer service representative that you are the legitimate customer, they are able to reassign your phone number to their new SIM.
At this point, the criminal has essentially disconnected your phone number from the network and assigned it to their SIM card, which they then inserted into their device.
By “overriding” your SIM, the criminal can reset account passwords and take control of any two-factor authentication that goes on your phone via text message. (see WhatsApp, Telegram, etc.) and therefore it’s possible to access a multitude of accounts, emails, digital payment systems, social media, purchases, and so on.
Let’s get back to the details about your account PIN and the last four digits of your Social Security number.
How would someone know this information?
This is where things get interesting and illustrate the direction modern cybercriminals are taking with data breaches and leaks (which we’ll discuss next week in another article on RHC).
Over the years, thousands of data breaches have occurred, resulting in billions of records being stolen, including the Facebook data breach in April 2021 that impacted 533 million accounts. But you change your passwords constantly, so you’ll change yours in this case too. That makes you feel safe, right?
Not exactly.
While people are seriously concerned about their bank account and Social Security information being exposed in a data breach, they’re less concerned about their name, email address, or date of birth.
Yet, when put together, this is exactly the kind of information that poses a security risk to your bank, your medical records, your mobile carrier, and any online account. Here’s why.
As the amount of breached data grows, cybercriminals have become organized, linking the various data dumps together to create more complete pictures of each individual for later use. Consider the following scenario:
Here’s a simple table view of what they collected:
Cybercriminals can now link these records via your email address, which was common to all three, giving them a more complete picture of your information.
Let’s talk about your mobile account PIN. Do you remember it?
According to security researchers, there’s a high probability that your PIN is something easy to remember, such as your birthday, birth year, address, or zip code.
Looking at the table above, the cybercriminal now has that data, and it’s associated with your phone number. They can make some educated guesses about your PIN to gain access to your account.
If that doesn’t work, they might simply tell the mobile customer service representative, “Wow, I set up that PIN a long time ago and I have no idea what it is.” Very believable!
No problem, says the customer service representative, just tell me the last four digits of your Social Security number.
BINGO, the criminal has this data handy. SIM transfer takes a few minutes. Once this is done, you will be kicked out of your phone account.
You should be afraid of data scrapes just like data breaches.
This correlated information creates a very precise fingerprint of a person, using data that generally doesn’t change.
So every time someone says (yes, but the data is from 2 years ago), Tell him he’s talking nonsense, because this is very “fresh” data, and a lot of information can be correlated to recreate a very precise identity and hack a potential target.
Redazione