You get a ping on your phone, which is for an SMS that has the one-time password (OTP) to verify an online payment. Till now, experts have claimed that SMSes are hack-proof because they’re not on the internet.
However, it seems hackers have a found a way around it as well, and it’s called SIM-jacking. It’s similar to how hijacking works, except in this case, a person loses control of his/her phone.
The trouble is, they don’t even realise when this happens.
Read below to know everything about SIM-jacking – the latest form of digital attack – and what you can do to safeguard yourself from it.
What is SIM-Jacking?
To make you understand the attack in a simplified manner, folks at Adaptive Mobile Security have done their best with this report, highlighting all concerns and ill-effects.
According to them, the SIM-jacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the UICC (which is the SIM card) within the phone to "take over" the mobile phone, in order to retrieve and perform sensitive commands.
For this, the attacker, via the SMS (as seen above), gets access to the device location, and importantly the Cell-ID as well. With this, your device has been officially jacked by the attacker. The trouble is, you wouldn’t even know about all this, and won’t get any alerts of a possible mishap either.
During the attack, the user is completely unaware that they have received the SMS with the SIM-jacker attack message, that information was retrieved, and that it was sent outwards in a data message SMS - there is no indication in any SMS inbox or outbox.Adaptive Mobile Security post
AdaptiveMobile Security experts believe this vulnerability has been exploited for at least the last two years by a highly sophisticated group of attackers in multiple countries, primarily for the purpose of surveillance and they are now using it for stealing online accounts of an individual.
After this, the attackers now have access to your phone number, and the first thing they target is the mailing account, which is usually via Google in most cases. They try to login and if they are not able decipher the password, they resort to using the ‘recover password’ option via OTP received on your number, to get access to all your mails.
Attackers Know Everything About You
The most high-profile SIM-Jacking attack to occur recently, is of Twitter founder Jack Dorsey, whose account was hacked by a group called ‘Chuckling Squad’ a few weeks back. Responding to the misadventure, this is what Twitter highlighted as the issue:
The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorised person to compose and send tweets via text messages from the phone number.Twitter statement on hacking of Jack Dorsey account
This ‘security oversight’ was nothing but a SIM-Jacking (also known as a SIM Swap) attack on Dorsey.
It’s worth noting these attacks primarily happen because most of the information on almost every person on the internet is easily available to anybody who’s looking for it. And these attackers make sure they have all the information they need of their intended target.
They send phishing mails which look legitimate, asking people to share confidential details that usually no company executive is supposed to ask.
With all this data, they call up the customer support for the mobile provider, impersonating the original owner, and coaxing the mobile provider to issue a SIM on the pretext of losing/damaging it.
By answering the security questions, they manage to get the new SIM and its number activated. This ensures, the original owner of the phone number loses access to his/her connection.
How Can You Avoid Getting SIM-Jacked?
What can you do to prevent this kind of attack on your phone?
Well, according to most experts out there, this attack is hard to track for now, which means, every user needs to be extra careful of using their mobile number, how to interact via SMS and how they keep all digital accounts secure.
Also, it’s worth pointing out that users should ideally fool-proof their security measures with telecom s as well. Which ensures, that no matter how much information the attacker has one you, it won’t be enough to get a new SIM issued on your number.
Some Security Measures
- Call your telecom provider and check if they offer an extra password lock option to keep you alerted of such mishaps
- Keep a regular check on mails for any ‘device/account access’ message, which wasn’t operated by you.
- Do not save confidential passwords, PIN numbers on mail
- Do not click on URL, website links that look suspicious (for this, make use of spam/phishing warning available on Gmail)
- Set passwords that are not 1234, or your date of birth to avoid easy intrusion of digital accounts.
But here’s some good news, the GSM Association (GSMA), which represents global telecom operators, has been informed about this attack.
Telcos and back-end technology providers for them have been asked to tweak their security parameters to prevent SIM-Jacking from becoming a bigger menace than what it is over the past couple of years.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)