The Startup
Published in

The Startup

How to Outwit a SIM Swap Fraudster

Locking your SIM, making your accounts accessible only on your devices, and other ways to avoid SIM swap fraud.

Photo by Paul Garaizar on Unsplash

The recent hack of Twitter CEO Jack Dorsey’s Twitter account using a SIM swap fraud has me worried. If a leader of the tech industry can be so easily hacked, how safe is an ordinary layman?

If your money is gone, it may be gone forever

What’s even more worrying is the case of a pensioner in Delhi who had ₹25 lakh or $35,000 stolen from his bank account. He was informed that he’s not entitled to any compensation. According to Indian laws, it seems banks and cellular operators are not responsible for his loss. Indian citizens have lost more than Rs 200 crores ($28 million) in cases related to SIM swap fraud.

Seems like there’s a Damocles sword dangling over our collective heads, and we are all pretending it isn’t there.

Is there a fix for SIM swaps?

Yes, there is, but India and the US have not implemented it. All the government needs is a rule that bank transfers should not be allowed until three days after a SIM swap. This should be enough time to alert the SIM’s actual owner as his number will stop working once a fraudulent SIM swap happens. But this can only work if a cellular operator sets up a system to let a bank to query phone records for any recent swaps on SIMs associated with a bank account. That way, banks can always check before they allow a money transfer. In fact, many countries in Africa, as well as the UK and Australia have implemented such systems, and it has reduced SIM fraud massively.

I don’t understand why India is not doing it as we have the tech. If I sign up for a payment app like Google Pay, the app asks for my phone number. Then in a matter of seconds, the app will tell me the name of the bank that is linked to my SIM, as well my bank account number. If the banks can share that info with apps, then why can’t operators share info about SIM swaps with banks?

Self-defense is our only defense

I was hoping that the coming of e-SIMs, might help us avoid this issue. But it looks like they could be just as insecure, and have not yet gone mainstream. Seems it’s up to us to figure out how to take additional precautions if we are forced to use our mobile phones as authentication devices.

You may say you keep very little money in your bank account. But that’s irrelevant. Why should you allow anyone to steal even a penny from you?

Now I’m a layman, and the rest of this post is all that I learned on my own, and the simple steps I have taken to avoid becoming a victim of SIM swapping. If I could do it, so can you.

How to avoid being a victim of SIM swap fraud

There are many SIM Swap victim stories on the net. I picked this one because the victim is tech-savvy (a crypto attack is similar to a bank account attack as both involve stealing money from online digital vaults). To go straight to his experience, watch from the 3.30 to the 6-minute mark.

However, the video didn’t answer my questions on how to avoid being a victim of SIM swap fraud. This post is the result of my search for those answers, and is in the form of a simple, yet comprehensive plan (with four increasing levels of difficulty) to avoid being a victim of SIM Swap fraud.

Most of India use their phones to go online

SIM swapping is a serious issue in India as the Indian banking industry mostly uses cell phones as the secondary device for its two-factor authentication system. Like if you want to transfer funds from your bank account, you need an OTP (one time password) that is sent to your phone via SMS. On the surface, it seems a good idea as OTP changes for every transaction, unlike a banking password which often remains the same for ages.

SIMs are not designed to be security devices

In reality, this system has some serious loopholes, simply because a phone SIM was never meant to be used as a security device.

Let me explain with the analogy of a household safe. The safe has only one door and one key. Unless a thief has that one key, he can’t unlock that safe.

Now imagine if that safe has infinite doors and infinite keys. That’s a SIM. If a hacker successfully does a SIM swap, he can create his own key (an OTP) and use his own door (his device) to enter the safe and steal your money.

Stay away from SIM OTP verification

As a SIM card is insecure by nature, the best way is to totally remove it from anything related to security. For instance, my Gmail used to have my phone number linked to it. This meant that if I forgot my password, Google would send an OTP to my phone, using which I could access my email account. But this also means that a SIM swapper can hack my email with those same OTPs.

So what I did was delink all of my email IDs from my phone numbers. Google no longer gives me an OTP option to access my email. I have instead asked them to rely on verification OTPs generated by my phone (the device itself, not the phone number) and my other emails. More about this later.

India is changing but it will take time

In India, the entire online financial system mostly runs on SIM OTPs with most transfers from bank accounts have to be authenticated by OTPs.

Fortunately, things are changing. SBI, the country’s leading bank gives an option of generating OTPs from an app, which is linked to your device, and not sent via your SIM. The UPI system of money transfer also avoids SIM linked OTPs in favor of app-generated codes. But a transaction limit of Rs 10000 a month limits the utility of the system, and UPI may have its own issues.

Hopefully, other banks start following SBI’s lead, and SIM OTPs get removed from the financial transaction security loop. But till that happens, we will have to try to minimize the areas in our lives, where SIM-based OTPs work.

How is a SIM swap done?

There are many ways a SIM swap fraud can happen. The hacker usually hacks your email or social media like WhatsApp or Facebook to finds basic information about a customer like his name, his address, phone number, pet’s name, where he studies, works, family details, and important dates (like birth and marriage). After that he uses his hacking skills, to get details like your ID, banking user ID and password, and so on. He uses these to create false IDs, get a duplicate SIM card issued from your cellular operator, and finally intercepts your OTPs. Sometimes a SIM swap can be as easy as bribing someone at your network provider to get access to your details and apply for a new SIM. Hackers have also begun using malware on cellphones to extract user info or redirect users’ OTPs to their own phones.

Anyway, once the fraudster convinces your operator, they deactivate your existing SIM and issue a new working SIM with your number to him. The catch is your phone will go dead for a few hours, and this is likely to alert you. To avoid tipping you off, the hacker usually does the process at night and gives you multiple missed calls in the middle of the night till you mute or switch off your phone, at which he begins the activation.

The rest is simple. Since the fraudster has already hacked your bank account, he now logs in and initiates a funds transfer to his bank account. The bank sends an OTP to verify the transaction to your phone number. As the fraudster has hijacked your SIM, he gets the OTP, and not you, and he transfers the money out of your account. By the time you realize your phone is dead, your bank account will have been emptied.

So how do you safeguard your SIM?

Multiple locks are one way to stay safe

The obvious thing to do is to make it hard to hack my phone. To continue with the analogy of a safe, I want multiple locks on my safe. So if a hacker opens one of those locks, he will still not be able to open the safe. And that may alert me, and give me time to prevent the theft. So increasing the level of difficulty to hack my phones is essential. After digging around, I figure that there are four increasing levels of security to protect my phone.

Level 1: Locking the SIM

In India, SIM cards come unlocked by default. I don’t really know how effective SIM locking is. But following the principle of ‘Something is better than nothing,’ I decided to figure out how to do it. Here’s what I learned, and this is only for India. Other countries have similar systems and here’s a sample.

Caution: Before you try locking your SIM, please be aware that a few wrong steps can erase the data on your SIM. In India, if you decide to change your SIM pin, the networks allow you three attempts to enter the right pin. If you get it wrong, you get a further 10 attempts to enter the SIM’s PUK number (pin unblocking key). After 10 wrong entries of the PUK, your SIM will be erased. That’s right. Your SIM will stop working. You will have no option but to replace it by visiting your network provider with your ID. That’s why networks keep a SIM unlocked by default. So please don’t try this unless you have your SIM card’s PUK numbers.

In SIMs in India come unlocked, but have a default PIN. You can’t lock the SIM unless you know this PIN. The default PINs are set by the network provider, and so vary from network to network. On googling it, I found that it’s usually ‘0000’ or ‘1234’ for most service providers in India.

However, I was curious about how to get the PUK in case I didn’t know the default PIN. A bit more digging around told me it would be there on the original SIM packing. But I had thrown that away. The alternative for the Jio network is to register your Jio SIM on the Jio website, give your details, and then request your PUK from Jio.

To do this dial 199 from your Jio SIM, and follow the instructions.

Or follow these steps: Dial 199 and enter 2 for English; To skip the recorded rubbish, type 6; IVR will say you have typed an invalid code; Type 1 for repeat; Then 6; Then 2 for PUK; IVR will ask for your DOB in ddmmyyyy; Next it will ask for your Jio phone number; After which, it will recite your 8-digit PUK; Type 0 to repeat, and verify you got it right.

After this, go to your phone settings and change the SIM PIN. In my iPhone 6S+ running iOS 13, I found the SIM PIN in ‘Settings’ under mobile data->SIM PIN. See below.

On my Android (Poco F1, running MIUI 10, an Android Pie fork), I had to go to settings →additional settings->privacy->sim lock. It will be something similar in most Android forks. Or you could just ‘search’ for sim lock in settings. See below.

So I started the process on both my phones, entered ‘0000’ for my Jio SIM. The phone rejected it and said I had two more attempts. I put it ‘1234’ and it worked. There was an option to change the default pin. As the pin can be longer than 4 numbers, I changed my SIM pin to a longer one. The longer it is, the harder to hack.

After changing the pin on both phones, I was a bit puzzled. Nothing seemed to have changed on either phone. Had I gone on a wild goose chase?

I tried restarting my phone, and there it was. A new SIM lock screen pops up after the regular lock screen on my iPhone (it also appears before the regular lock screen on my Android but I couldn’t get a screenshot as nothing works on an Android until I unlock the SIM). But you can see the iPhone version below. The Android version looks similar except it’s a black screen on my phone. Notice how the ‘Locked SIM’ icon on the top left, changes to the network’s name once I unlock the SIM.

Is an extra lock screen worth it?

I know it’s an extra effort to memorize one more passcode. Since my Android has a dual SIMs, I have to enter both the SIM lock pins and the lock screen code before I can use my phone. But since I was already mentally prepared myself for multiple locks, I was fine with this. In any case, I have to do this process only when I restart my phone, which happens rarely. But then again, I like to imagine the look on a hacker’s face after he’s gone to a lot of trouble to steal my SIM, only to realize my SIM is locked with a password that’s locked inside my head. Just the thought makes it worth it.

Does the SIM lock have a loophole?

Sadly, the answer is yes. SIM locking provides an extra level of security for your phone data in case a thief steals your phone, as he will need to crack the SIM lock in addition to your phone lock. But it will not work with for a hacking attempt by a SIM swapper.

I wasn’t aware of this till a reader, Abhay Bhatt pointed out that SIM locking is tied to the SIM card, and not the mobile number. This means if a hacker manages to get a duplicate SIM issued, it will come unlocked.

I can think of three other ways to get around SIM locking. A hacker could simply bribe an employee of the operator to give him the PUKs (Pin Unblocking Keys) to my SIM, which would enable him to bypass my SIM PIN (this may have been the case in the video I linked above).

A second way is if my phone is stolen, the hacker can remove the SIM, and use the 19 digit ICCID number engraved on the SIM to get the PUK and unlock the PIN. I don’t know how it works, but people keep telling me it can be done. As I said, a SIM was never meant to be a security device.

A third way is if the hacker has already hacked my Jio.com online account and my email. All he has to do is make a request to Jio from within the Jio.com account. Jio will then send my SIM’s PUK numbers to the email registered with them. Using this, the hacker can successfully do a SIM swap.

Looks like SIM locking by itself may not be enough to put off our hacker. I need to double down on securing my email, which is the weak link.

Level 2: Double locking my accounts

The technical jargon for this is 2FA or two-factor authentication.

This is when your account, say email, can only be unlocked if you have two codes. The catch is you know only one of these codes. The second will be sent to you on request. The first is your password. The second is an OTP that is sent to one of your registered devices, whenever you try to access your account. This means a hacker can’t access your account with just a password. He needs the OTP too. Two factors.

Google has been pushing me all these years to go in for 2FA. I’ve ignored them as it seemed a bit of a hassle to set up and to use. But seeing how my locked SIM can be unlocked by accessing my email, I finally decided it was time to upgrade my primary email’s security to 2FA.

I’m doing the process on my phone. It’s not too complicated but here are the steps anyway. If you are on iOS, you will need to download the Gmail app.

Caution: Once you set up 2FA, accessing that account can sometimes be a pain. For instance, last night the Apple Mail app on my iPad was unable to access my freshly 2FA-ed Gmail account. It asked me to go into settings and re-enter my password. I did so and was sent an OTP on my phone. For some reason, the OTP didn’t come through for 10 minutes. It’s not really a big deal as I could access my email on the Gmail app on my iPad as well as on my phone. But all the same, it was a hassle till the OTP arrived and things fell into place. My only consolation was if it was a hacker, he would have probably have gone nuts.

Anyway, first, I sign in to my Google account on my phone’s browser (I’m using Chrome here). Then I tap on my profile pic in the right top corner, choose the email account I want to protect, and tap on ‘Manage your Google Account.’ In the next screen, I swipe to the ‘Security’ tab, and then scroll down to where 2-Step Verification shows as ‘off’ and tap on it to toggle it on, and finally tap the ‘Get Started’ button.

After I verified my email by entering my password, Google next offered to let me use my phone (the number linked with my Gmail account) as the second sign-in step. To verify that it was I who was doing all this, Google then sends a ‘Google prompt’ to all the devices on which I am currently signed in on that Google account (in iOS devices, the prompt only comes within the Gmail app, probably because Apple will not allow such prompts at an iOS system level). After I confirm by tapping on the ‘Yes’ button, Google asks me for a second phone number as a ‘backup option’ in case I lose my phone.

At this point, I noticed that Google was also offering an alternative backup option. So I click on it. This option turns out to be a series of ten 8-digit backup codes, each of which I can use once. I preferred the backup phone option (for now) as I was quite likely to misplace those codes. So I entered my second phone number, and clicked on ‘send.’ Google sends me an OTP to check if the backup number is working. Once I confirm this, Google informs me I will stay signed on in the three devices where I’m currently signed in. To sign in on any other device, I will need to do a two-factor authentication.

To confirm, I try signing in to my email from my old Mac laptop and am asked to check my Android device where a prompt has been sent.

I go to my Android and I find a ‘Google prompt’ similar to the one I got in the previous step of setting up the 2FA. I tap ‘yes’ on that prompt, confirming it’s me who signed in on a Mac in ‘XYZ’ place at ‘XYZ’ time. Only after I do this am I allowed access to my email on my old laptop.

My email is now double-locked, firstly, with a password I know, and secondly, with an OTP or Google prompt that is sent to one of my devices.

Feels good, but…

Does 2FA have a loophole?

Ok, I’m now getting into a paranoid level. But I have always lived on the principle that ‘If you are going to do something, then do it well.’

My first issue is unrelated to hacking. What if I have access WiFi but there’s no cellular network for some reason? Will I be locked out of my email? It’s not that remote a possibility. I experienced just this recently while traveling in Ladakh in the Himalayan mountains where cellular network is poor. Or what if I lose my phone? Will I be stuck till I get a new SIM?

However, the weak link is still the SIM OTP, which can be used to break the 2FA is the hacker already has the password to my email.

There are possibilities, and though they are remote, they are known to happen. What if the hacker hacks my cellular network provider’s database, and gets the PUKs for a whole bunch of phones, including mine. He can crack my SIM pin in no time. Or what if someone uses his birthday as his SIM pin? People do it all the time and hackers know that.

Let’s assume the hacker has somehow hacked my SIM. Is there a way I can still stop him?

Can I add another level of difficulty? I believe I can.

Level 3: Restricting my accounts to my devices

Going back to that analogy of a phone SIM being like a safe with infinite keys (OTPs) and infinite doors (devices), the idea here is to restrict entry to one or two doors (devices).

Authentication Apps

This category of apps works by checking if the device being used to access my account is one that I have approved. If it’s not, access to my account is denied. In short, the app locks my account to my device and not my SIM. This means that even if the hacker has hacked my SIM, and has my OTP (the keys to my safe), he can’t get into my safe as it can be accessed only on the device approved by me. In this case, it’s my phone (one door).

If I do this, the only way a hacker can steal my money is if he can:
- hack my bank account user name and password
- take over my SIM
- hack my SIM lock pin
- crack my phone’s lock screen pin
- and finally, steal my phone

The odds are now definitely more in my favor. Question is, can this be done. The answer is no and yes.

No, because most Indian banks still work with OTPs.

Yes, because SBI, India’s largest bank has an authentication app that links OTPs to my phone, rather than my SIM.

SBI Secure OTP app

SBI is India’s largest bank and used to have a reputation for being inefficient. but they are making efforts to change. In theory, the idea behind its app, of delinking OTPs from SIMs is conceptually sound.

But in reality, the SBI app is often glitchy, gives error messages, and asks you to try later. My guess is SBI, being a public sector bank, prefers to err when in doubt, rather than let a fraudulent transaction happen. That may make SBI safer but it means you can’t always rely on the app to work (see the app’s reviews on IOS or Google Playstore). However, I like the concept so I use the SBI app. But I also have a second bank account with a private sector bank as a backup, as they tend to be more reliable.

Anyway, what this app does is remove the SIM from the equation. I first need to download and register this app, which strangely enough is by OTP via SMS. After this is done, whenever I do a transaction in my account and it asks for an OTP, I know it won’t be coming by SMS. So I login to this app on my phone, tap on the ‘Get Online OTP’ option. It generates an OTP, which I then use to complete the transaction. I’m using the ‘Online OTP’ option where your phone has to be online. SBI also has an offline OTP option where you are given an 8- digit number when you attempt to do an online transaction. You enter that number in the app, and it generates the OTP, without the need for your phone to be online.

As OTPs are not being sent via SMS, a SIM swap is now useless for a hacker. Even if he has accessed my bank account, he can’t transact or steal my money despite having hijacked my SIM.

I must add that I’m not sure that this app is foolproof. As you can see in the last screen, I can change my phone by clicking on settings, deregistering my existing phone, and registering a new one. So if this is possible, maybe a hacker who has access to my bank account could delink my phone and register his phone to run that SBI Secure app, and get the required OTP. Or for that matter, he could just switch back to the OTP by SMS mode.

But I haven’t heard of anything like that happening, so maybe SBI has figured out how to prevent that.

Oddly enough, SBI itself provides a way to bypass the SBI Secure app. You just have to download SBI’s YONO app and link it with your phone. You can then transfer funds with an SMS OTP. This happens even after you have clearly indicated in your online SBI account that you want to disable OTPs and stick to the SBI Secure app OTP. This loophole does not exist on the SBI YONO Lite app, so the solution would be to discontinue the YONO app. But who’s going to bell the cat?

Authy

Though I haven’t been able to figure out how to use authentication apps with banks other than SBI, I have found that you can use authentication apps to lock down your other accounts like Google, Amazon, and Dropbox. So why not? The more locks, the better.

Normally, I would have gone with the Google authenticator app. But it seems the app doesn’t provide a backup option. This means if the device you install the app on crashes or is lost, you will be locked out of those accounts you protected and will have to manually and laboriously unlock each of those accounts. I don’t really understand how it works, but what I understood was enough for me to avoid the Google authenticator app.

So I tried the Authy app, which allows an online backup option. Setting it your phone as an approved secure device isn’t too complicated. You download the app and open it. Setup automatically starts. You enter your phone number, receive an SMS OTP, and that’s it. Here’s how I did it on my Android.

Adding devices After setup, the app asks to install an account to be protected. But I quit the app as I wanted to first add my iPhone and my iPad to the list of approved devices. Again, the process was simple as shown below for my iPad. Download app, install, choose the option to verify… and the device is added.

Adding accounts Next I decided to try to add a Google account to Authy on my Android. The ‘add account’ function is buried in the three dots on the top right of the app (screenshots are disabled on this page). The steps were simple. The app asks you to scan the QR code from the Google site and allow Authy to use your camera to do this. Once the QR code is scanned, the account is added to your protected accounts.

However, there were a few hiccups along the way as that QR code wasn’t easy to locate. I had to dig deep into Google before I found it. Here’s what you need to do. First, sign in to your Google account, and go through the process to turn on 2-step verification (see the previous section). After you tap on the ‘turn on’ button, 2FA will be turned on, and the next page will display a ‘turn off’ button. The authenticator app option is hidden on this page; scroll down and you will see it.

Tap on ‘set up’ in the authenticator app section. You will be asked what kind of phone you want to install the app on. I was doing it on the Android so that’s what I tap on. And finally, we get the see the elusive QR code.

But there’s still an issue. If I was setting up Authy on another device, then I can just scan the QR code from my Android’s screen. But in this case, I’m setting up Authy on my Android itself, so it’s obviously impossible to use my Android’s camera to scan the QR code. What I have to do is tap on ‘Can’t scan it’ below the QR code. That takes me to a new page where I’m shown a key. I copy it, go back to the Authy app, tap on the three dots, and then choose ‘Add account.’ On the next page, instead of scan QR code, I tap on ‘enter code manually.’

One last precaution. There is a possibility that someone can hack the Authy account, and add his device and thus get access to my accounts. To prevent this, I go to my Authy app, find my way to its settings, tap on the ‘devices’ tab, and then turn off the option to ‘allow multi-device.’ Now even if a hacker accesses my Authy account, he will not be able to add his device.

One last step. I need to delink and remove my SIM number from my email accounts, as I had relinked my SIMs to my email while writing this post.

We are finally done. My account is now secured and can only be opened on my devices.

Level 4: Restricting access to a physical key

This is the final level that I could find. It’s basically two-factor authentication, except that the second factor is an actual physical device, without which you will not be able to access your accounts. It’s sometimes given by a service provider, like say a bank. There are two ways in which it works.

The first is a key that you plug into your device, without which you will not be able to access your accounts on that device. It usually plugs into the USB port. So we are talking of laptops and desktops mainly, though some mobile devices do allow USB access.

The second is a tiny code generator that gives you a code which you need to enter along with your password. I have used this thingy when I had an account with HSBC. Though it’s secure, I was always worried I would lose it.

A few more tips to stay safe

  1. If your phone’s network is out of coverage for an extended period of time, check with your service provider. If they say your SIM is active and being used, a hacker could have done a SIM swap on you.
  2. Make sure your SMS notifications don’t show on your lock screen. If a thief steals your phone, then he can get your OTPs even without unlocking your phone.
  3. Don’t use your phone number on social media if possible. I have an old number on my Facebook, and I refused to update it on the site despite repeated nags to do so. Facebook actually knows my current number as it’s linked to my WhatsApp, which Facebook owns. But they can’t just go and update it in my account, can they? (I still need to remove that number just to avoid my FB account being taken over)
  4. Check your bank account statement regularly, and make sure you are registered for email alerts in action to your SMS alerts. This has to be your primary email account so you don’t miss the alerts.
  5. If you have elderly family members with bank accounts who do not keep an eye on them, use your email on their accounts. This can be an issue if you both have accounts with the same bank. That’s because your email can only be linked to one account in that particular bank. One workaround is to use an alias. So if your email is johndoe@gmail.com then you can use johndoe@googlemail.com for the second account. The bank will see it as different emails and accept it, but the alerts will both come to the same email.
  6. Avoid keeping your IDs and important documents in your email or cloud accounts. This includes that 19-digit SIM number on the back of your SIM card. If you absolutely need to store documents online, then make sure these accounts are securely locked to your device.
  7. Use a password manager app like Lastpass to store all your passwords, and manually access it. Obviously, the master password to your password app should not be one you have used anywhere else. I know Apple already stores passwords in a similar service built into their devices, which is supposed to be encrypted and all. Google also does the same. But the thing is your system also has access to these services across many apps. So I have the same ‘too many doors to my safe’ worry. Or maybe I’m just being a paranoid android.

Related posts:

I have written a couple of companion articles to this post. The one below is for those who are worried about handing over all their passwords to a digital password manager. It illustrates how I manually created a password that’s easy to recall but at the same time is very strong.

The second one is about a couple of close shaves that I had with phishers.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store