THERE are some details you just cannot share on social media – or you could be putting yourself at risk of a devastating “SIM swap” attack, experts have warned.
In the wake of the M&S cyberattack in April, where SIM swapping is believed to have played a role, consumers have been warned that the breed of attack could also wreak havoc on their own personal lives.
5
5
SIM swapping is a form of fraud that is swiftly on the rise, according to a report published in The Conversation last month, co-authored by computer science professor Alan Woodward and secure systems lecturer Daniel Gardham, both of the University of Surrey.
Attacks rose by a whopping 1,055 per cent in 2024, according to the National Fraud Database.
It has also allegedly been used in the hacking of former Twitter CEO Jack Dorsey in 2019.
“Our mobile phone numbers have become a de facto form of identification, but they can be hijacked for nefarious purposes,” the pair wrote.
People typically have the same phone number for years – even after changing phones, losing their device, or having it stolen.
“When a user buys a new phone, or just a new sim card for a spare device they might have, they might call their service provider to transfer their longstanding mobile number to the new sim card,” experts explained.
“The problem is that the service provider doesn’t know if it is really them calling to transfer the number.
“Hence, they launch into a series of questions to make sure they are who they say they are.”
These security questions are used for all kinds of accounts, and often ask for the same information.
For example, “what is your mother’s maiden name?”, or “…the name of your first pet?”
But if someone else can know the answers to those questions after stalking your social media, it leaves you at risk of not only SIM swap fraud but other forms of hacking.
Suddenly, someone else can make and receive calls and SMS messages using your number.
Prof Alan Woodward and lecturer Daniel Gardham, of the University of Surrey
“The rise of social media has made it easier than ever for scammers to piece together what was once considered private information,” experts wrote.
“Suddenly, someone else can make and receive calls and SMS messages using your number.”
That means hackers can make calls at your expense. But it’s not just your phone number that can be stolen.
SIM swapping can be used to breach all your other accounts through the theft of two-factor authentication (2FA) codes.
Security experts recommend all consumers have the 2FA tool switched on with all their accounts.
5
Instead of just relying on a password, 2FA adds a second factor – like a code from your phone or biometric data like your fingerprint or face ID.
Woodward and Gardham added: “Remember when you created your email, bank account or even online grocery shopping account and you were encouraged to set up two-factor authentication (2FA)?
“You listened, but the system set your ‘second factor’ as your mobile phone number.
“You input your username and password, and it asks for a time-limited code that it sends to you as an SMS message.”
Now, if you have been a victim of SIM swapping – the hackers will receive your security codes instead of you.
This could potentially grant them access to all sorts of accounts, from your social media to your banking app.
Efforts to improve login security have led to the rise of what are known as passkeys… Which are long sequence of random digits called cryptographic keys that are stored on your device, such as a smartphone or computer.
It’s important to note that even with the risks of SIM swapping, 2FA should still be enabled on all your accounts.
In addition to it, however, experts are encouraging the use of passkeys – a passwordless login method that is supposed to be more secure.
Facebook just recently adopted passkeys as a safer alternative to passwords, but companies like Google and Apple have had them for a while.
“Efforts to improve login security have led to the rise of what are known as passkeys,” Woodward and Gardham explained. “Which are long sequence of random digits called cryptographic keys that are stored on your device, such as a smartphone or computer.”
Passkeys are used to log into your online account only when you unlock your phone through your PIN code, fingerprint or face ID.
WHAT ARE PASSKEYS?
Passkeys are the newer, safer passwords, according to tech companies and security experts.
They allow you to log into your accounts using biometrics like your fingerprint or face scan.
You can even use your phone’s passcode.
To sign into a website or app on your phone, all you need to do is unlock your phone.
This also works for websites on PCs and laptops.
If you’re trying to sign into a website on your computer, you just need your phone nearby.
You will be prompted to unlock your phone when trying to log into an account on your computer, which will then grant you access on the PC.
By using unique credentials tied to your phone or other devices, you make your accounts more resistant to phishing and other password-based attacks.
5
5
