SIM Hijacking and Port Out Scams Explained
With so many people nowadays carrying a mobile phone, it should come as no surprise that criminals have spotted many opportunities to take advantage of our devices. Mobile phone theft and even scams are nothing new. But one kind of scam that you may not be familiar with is that of SIM hijacking, or “port out” scams. What are they? Who’s affected? How can you protect yourself? That’s what we’re here to find out.
SIM Card Basics
Before we get into the scam itself, let’s first talk about the basic idea of a SIM card. A SIM, or subscriber identity module, is the little plastic card that fits into the back of your phone. As long as your phone is working, you probably don’t think too much about that SIM card. But it does something pretty important.
What your SIM card does is connect your phone to your mobile operator. It basically tells the operator that this phone is allowed to connect to the operator in question’s network. That means that you get service from, say O2 if it’s an O2 SIM card. That little plastic chip is your ticket to mobile service.
That all seems simple enough. So how is it possible to scam a SIM card?
What is SIM Hijacking?
SIM hijacking, or port out scams, are more or less the same thing, though the method may vary a little depending on who’s doing the scamming. The basic principle is that somehow somebody gets control of your mobile phone number. They do this by hijacking your SIM card. There are various methods for doing this, but the end result is the same. The bad guy gets a SIM card that’s registered to your phone number.
You can probably already guess the basic consequence of this. Once a hijacker has a SIM card connected to your phone number, he can then use that phone number, therefore using a service that you’re paying for. However, there are other, more serious consequences that we’ll get to in a few minutes.
This scam hinges on one particular fact: no one phone number can have more than one SIM card attached to it. That means that as soon as the hijacker gets his hands on a new SIM registered to your phone number, your SIM stops working. But how does he get that SIM in the first place?
How Does it Work?
There are a few ways that a criminal can get his hands on a SIM card registered to your phone number:
The Port Out Version
The original version of this scam was known as the “port out” scam and it takes advantage of something that most of us think of as a convenience. If you wanted to change mobile operators, you’d probably want to take your phone number with you. Operators know this, so there is a system in place that allows you to take your number when changing contracts. You call your old operator and ask for a “Port Authority Code” or PAC. The operator gives you this code, and you give it to your new operator, which results in you keeping your old phone number with the new operator.
A wily criminal can use this to get hold of a SIM card registered to your number. All he has to do it get hold of your phone number. This generally isn’t difficult (just think about how often you’ve written your number down, used it to fill in an online form, or given it to someone you don’t know that well). Once he has your number, he’ll call your operator pretending to be you and will ask for that PAC. Then he’ll use the PAC to open a new contract with another operator using your phone number. He’ll get a new SIM card to go with that contract, and your current SIM will stop working. Bingo.
The Lost SIM
A simplified version of the port out scam is the lost SIM scam. In this version, the criminal simply calls up your operator (or hacks into your online operator account, or simply walks into a high street operator branch) claiming to be you, and saying that he’s lost his SIM card. In some cases, the operator will replace the SIM card, often for free, and again, the criminal has your phone number and your SIM stops working.
Bribery and Social Engineering
Alternatively, the criminal may simply bribe a customer service rep to hand over a new SIM. This happens, believe it or not. Or he might use social engineering, convincing a rep that he’s you by using the information he’s picked up about you online (again, easy considering how much info can be picked up from social networking sites). Or he might just luck out and get a rep that isn’t very good at his job and who doesn’t check ID properly. Any of these methods result in the bad guy getting a SIM card with your phone number attached to it.
What Are the Consequences of This?
So far you might be thinking that this sounds like a pain, but it’s not a huge deal. Okay, so someone has your phone number and is using your minutes, texts, and data. But all you have to do once you realise that your SIM isn’t working is to get a new one, right? Then the criminal’s SIM card will stop working. But… there are far more serious consequences than someone just stealing your phone plan…
All Your Information
Once a criminal has control of your SIM card and therefore your phone number, he then has control of everything that your phone receives. Calls, text messages, everything. And that can have some dire consequences:
Two Factor Identification
Many services nowadays require two-factor identification. Your banking app, your email, even social network sites, may require that not only do you log in but that you then enter a code that’s sent to your mobile phone number. With someone else in control of your number, that means someone else gets that security code, and with a little work can use it to enter your banking site, or somewhere else.
Of particular concern is your email. By claiming to forget your password, the criminal can apply for a new password, use the code sent to your phone number to verify it, and then have full access to your email (locking you out in the process). Once he’s in your email, there are all kinds of things he can do, just think about how much personal info he can find from your email box.
Your Social Networking Sites
He can use a similar method to get control of your social networking sites, like Facebook, Twitter, and Instagram. Sure, he might play a few pranks on you, but he’ll also again have access to personal information. Even things as silly as your dog’s name, or your mother’s maiden name, are important. These things are often used as security questions, or even as passwords. If nothing else, this kind of information makes a criminal more believable if he’s pretending to be you…
Once a criminal has enough information about you, he can then build himself an identity, pretending to be you. And now there are no limits to what he can do. Maybe he’ll apply for a credit card in your name, or a loan, ruining your credit score. Maybe he’ll buy things online. Maybe he’ll steal money from your bank account or cryptocurrency account. The financial risk here is very real.
This isn’t just a matter of the inconvenience of having your phone not work for a day or so. There are some far-reaching and very serious consequences to SIM hijacking.
Who’s At Risk?
One of the scariest things about SIM hijacking is that there is no real risk group. We’re ALL at risk. Anyone who has a mobile phone, anyone who has a SIM card can be a victim. This isn’t a matter of being stupid, naïve, or foolish. It could happen to literally anyone. Criminals rarely deliberately target one person. They generally have long lists of phone numbers and try to gain control of all of them, and sometimes they get lucky. And their good luck could be your bad luck.
How Common is SIM Hijacking: Statistics and Facts
So just how common is SIM hijacking? It’s actually very difficult to get statistics on this, since many cases aren’t reported. You could be a victim without knowing what’s happening. In many cases, victims simply notice their phone isn’t working and replace the SIM card quickly, resulting in no real losses, and no official report. That means that actual numbers are likely to be higher than official numbers. However, there are some scary numbers:
- In January 2016 (the latest available data), the US Fair Trade Commission reported 2658 SIM hijacking events for that 31 day period alone.
- However, according to another US source, less than 1% of identity thefts are ever actually reported.
- In 2018, two American men were arrested for using SIM hijacking to attempt to steal $14 million in cryptocurrency.
- In UK cases, operator EE has been held responsible in two SIM hijacking attempts, and has announced increased security measures to try to combat the problem.
- Action Fraud UK has announced a 63% rise in SIM swapping fraud cases in 2017 versus 2016 (the latest data available).
- In 2018, an undercover investigation by Watchdog Live found that staff in mobile phone shops were NOT asking for appropriate ID when dealing with SIM swaps and replacements.
- In February 2018, US operator T-Mobile sent customers mass texts informing them about SIM swapping scams, but no UK operator has acted yet.
- Around 175,000 cases of identity theft were reported in the UK in 2017, and CIFAS (the Credit Industry Fraud Avoidance Scheme) indicates that identity theft is a rapidly growing problem.
- Financial Fraud Action UK reports that £29.6 million were lost in 2016 due to financial phone fraud, though this does include crimes other than SIM hijacking.
What are the Warning Signs of SIM Hijacking?
Fortunately, as long as you’re observant it’s easy to know if your SIM has been hijacked. If your phone suddenly stops working and will not get service, then your SIM card has stopped working (this could be due to reasons other than SIM hijacking, but the response should be the same). You may or may not get a message from your operator saying that the SIM has been blocked. You may or may not get a pop up notification on your phone saying that the SIM is not recognised. Either way, it’s time to act.
What to Do If You Suspect Your SIM Has Been Hijacked
If you suspect that your SIM has been hijacked, then there are a few simple steps that you need to take care of (in this order!):
- Call your operator and place a block on your number. At the same time, you can order a new SIM card.
- Go ahead and change all the passwords to all your accounts, including email, social media, online banking, online shopping, and everything else that you can think of.
- Check your bank accounts and credit card statements for any unauthorised charges.
- If you suspect that fraud has taken place, then report it to Action Fraud UK, the UK Police department responsible for financial fraud and cybercrimes.
- Apply for a credit report. You can get a credit report for free from any of the three UK credit reporting agencies (Equifax, Transunion, or Experian). You should be able to see if any unauthorised loans or cards have been taken out in your name. Be aware that it may take some time for charges to appear, so re-check your credit report after a couple of months.
- Consider changing your mobile number, just to be on the safe side.
How Can I Protect Myself Against SIM Hijacking?
Protecting yourself against SIM hijacking isn’t easy, but there are a few things that you can do that will help keep you safe:
- Call your mobile operator and ask if you can put a passcode on your account (NOT on your SIM, on your actual account). This means that any time a customer service rep wants to access your account he or she will have to ask you for your passcode. Since a hacker won’t have this information, it will protect you. However, not all operators will allow you to do this.
- Don’t depend on two-factor authentication to keep you safe. Some services, such as HSBC and Barclays, have voice authentication to access your bank account. Wherever possible include additional security features such as passwords, security questions, and the like to try and protect your online accounts.
- Be vigilant. Keep a close eye on your bank statements, your internet history (including when things like email were last accessed) and your credit report. If you notice anything strange or unusual, then change all your passwords.
- Don’t assume that your phone not working is just a glitch. If you lose reception then get in touch with your operator’s customer service and ask what’s going on, putting a block on your SIM card if necessary.
- Consider downloading an extra security app like Authy or Google Authenticator. These add an extra step to your security and require you to enter not just a password to your protected account (such as your email), but also a code generated by the app. Since the app is tied to your actual phone, rather than to your SIM card, this should help keep you safer.
- Be careful with your phone number. Versions of this scam involve a criminal having you primary phone number. The more careful you are with your actual number, the harder it becomes to hijack your SIM. Don’t include phone numbers wherever possible in online forms/accounts, and be careful who you hand your number out to. If necessary, use a burner number app (such as Hushed or Swytch) to have a number that you can use to hand out or register that isn’t your actual phone number. Or consider using a dual SIM phone with a secondary number that's used for throwaway purposes.
SIM Hijacking: The Bottom Line
SIM hijacking is frightening because so much of it is outside your control. There’s actually very little you can do to completely protect yourself. And all of us are at risk. As long as you have a smartphone, you could find that you’re hijacked and that your financial business and even your identity are openly available to hackers. The best thing that you can do is be vigilant and be careful. That way, if you do happen to be hijacked, the damage will be minimized.