SIM swapping or SIM card cloning is a very practical system for hackers. They can access your bank account in just a couple of steps as they will have access to all of your personal information that they have access to through your phone card and you may not even be aware that they have a duplicate until it is too late.
Considering that many authentication services still send keys via SMS for two-step verification, you’ll understand why having access to your SIM is such a sweet tooth for cybercriminals.
How SIM cards are cloned
The scam is usually carried out in a short space of time, where the user or victim hardly has time to react because the phone is left without service and this can be attributed to a simple technical failure that the operator is suffering. The coverage disappears and the SIM is no longer operational. Attackers usually duplicate the SIM by phone by contacting the operator, or even going to physical stores with a false ID.
SIM Duplicate
Although our company should identify the holder in some way (personal questions, presentation of the DNI…) and ensure that the person who is processing the duplicate SIM is who they say they are, this security measure can be violated.
Once this happens, the attackers can find your bank through the mobile banking application that you have installed, or try the main banks and discard them until they find what it is. It will then call customer service saying that it has forgotten the password, it will send a new one to the phone number associated with the account and it will be able to essentially do anything that you could do, including transferring money, since the The only missing step is SMS verification and it will reach you on this new duplicate SIM.
How to avoid the duplicate scam
First of all, we would recommend following the signs that something is wrong. For example, when someone activates a duplicate of your SIM, the one you have is automatically deactivated, leaving you without coverage or, what is the same, without being able to make calls or connect to the Internet through mobile data. This would be the first symptom that should make you suspect that you may be a victim of SIM swapping.
Yesterday I suddenly lost my mobile line.
Call to @vodafone_es and they did not solve anything for me: “There is a problem in the network”, “Your line works perfectly”, I insisted on the problem and nothing.
When I left the cinema, I was still without a line. When I got home they had emptied my checking account.– Otto More 🐉 (@Otto_Mas) September 5, 2019
Also, if possible, try to avoid two-factor authentication via SMS and use options like separate authenticators instead. This would prevent them from receiving those codes by text message that validate transactions and other operations such as access to WhatsApp and all kinds of applications in which you may have saved payment methods.
If you notice that something is wrong and contact the operator, it is very important to ask to check the status of the SIM card. It is important to know the ICC of the SIM card to protect yourself from this type of attack, since in this way you will be able to verify the identity of what should be the only active SIM in your customer account.
If you discover that you have fallen victim to the SIM duplication scam, you should alert your bank and immediately change your access credentials to digital banking and other frequently used online services. You can also claim that the unauthorized charges be returned to you, by submitting the report to the police that you have previously processed. The regulations applicable in this type of situation establish that, in those cases in which an unauthorized payment operation is executed, the ordering entity is obliged to return the amount of the transaction instantly. The bank may only refuse if it can prove that it has acted fraudulently in a deliberate manner or there has been some negligence.
