SIM Swaps 101

SIM Swaps 101

What is it, What to know, How do you protect yourself, and more!
- by 3NUM & Webacy

What is a SIM Swap attack?

A SIM Swap is a serious form of mobile fraud where a hacker tricks or coerces a mobile carrier employee into transferring a victim’s phone number to a SIM card controlled by the hacker. Once this happens, all incoming phone calls and SMS messages are then routed to the hacker's phone, including 2FA codes, which they can use to access sensitive online apps including email, social media, and more damaging, crypto and banking accounts.

What Do I Need To Know About SIM Swaps?

At the most basic level, this attack is possible because phone numbers are ultimately controlled by a telco provider, and updating or reassigning a phone number from one user to another is trivial. Given this reality, users should never assume their phone number is “safe” and therefore refrain from using it with 2FA applications.

Other important considerations:

  1. eSIMs

There is a general misunderstanding that eSIMs protect users from being SIM Swapped. This is not true. Assigning a phone number from one SIM to another happens regardless of whether or not a user has a physical or embedded SIM. Most phones sold these days use an eSIM, and the problem of SIM Swaps only seems to be growing.

2. SIM Pins

In the case where a hacker colludes with a telco employee, a SIM pin will not protect you. Having a SIM Pin can protect you in the case where a hacker tries impersonating you with a telco, however, it is never a protection guarantee, and should be treated as such.

3. VOIP Services

VOIP services like Google Voice do not rely on SIM Cards, however, they are not immune from this problem. Google Voice and services like it allow users to port their number, which is effectively the same thing as being SIM Swapped. In fact, in the case where your number is ported from a solution like Google Voice, your only recourse is tracking down a customer service rep in time. Depending on your situation, that might be more difficult than tracking down an employee at your local telco store.

4. Device agnostic

The type of phone you are using is irrelevant with a SIM Swap. The attack is just as possible on an iPhone as an Android, because the root of the problem is due to telcos being able to reassign a user's phone number.

How Can I Protect Myself from SIM Swaps?

  1. Stop using traditional phone numbers with services for 2FA

Traditional SMS-based 2FA is not secure. The most effective way to ensure you are protected is to remove your phone number as a backup from websites altogether.

2. Use more secure 2FA alternatives when possible.

Alternatives like Duo Security are far more secure than SMS 2FA. While they may be more cumbersome, you should always look to use a more secure option when possible.

3. Operate knowing that your phone number is vulnerable

At the end of the day, despite best practices, you should operate knowing that your phone number is vulnerable and should treat it as such.

4. Despite their limited value, enable as many “telco-provided safeguards” as possible

As we stated above, users should operate assuming telco safeguards like SIM Pins do not protect them from being SIM Swapped. That said, you are better to have them knowing the protection is limited rather than not having them at all.

5. Get a 3NUM Shield Web3 Mobile Number!

3NUM Shield Web3 Mobile Numbers are +1 mobile numbers that are transitioned into on-chain identifiers - and are fully controlled by a users wallet. 3NUM Shields are Web3 native, anonymous and cryptographically secure. Once a mobile number has transformed into being Web3 native, the underlying number is incapable of returning to being a traditional phone number, which means it will forever be controlled by a users wallet. 3NUM Shields can be used within the 3NUM App, which prioritizes end-end encryption and supports the existing telephony network, meaning you can securely use 3NUM for end-end encrypted Web3 messaging, text 5.5 billion mobile users and receive wallet secure 2FA codes that bypasses SMS altogether into secure auth when possible.

Grab yours now for just .015 ETH per year: https://app.3num.co/mint

If a SIM Swap Has Compromised Your MetaMask and Other Wallets:

How do I know if my wallets are compromised before it’s too late?

Getting hit with a SIM Swap is a non-zero chance, and the time it takes to realize it can be the difference between a small compromise and a big one. With Webacy’s Wallet Watch, you’re notified of any and all interactions with your web3 wallet instantly. Wallet Watch is web3’s fastest notification system for all inbound/outbound transactions on your self-custodied wallets. If you receive notification of a transaction not authorized by you - use the Panic Button within Webacy to eject your assets to a safe designated backup wallet.

My device is compromised, there is a very high chance the attacker has access to my MetaMask or similar wallet.

With Webacy’s Backup Wallet and Panic Button features, you can eject all pre-approved assets to a secure wallet (if you still have access to your original wallet), or recover assets from your backup (if you lost access to your original wallet.

Is My Web3 Wallet Secure?

It’s important to stay up-to-date on your wallet(s) overall risk of being hacked. Whether you’re a patterned jpeg purchaser or a regular DeFi trader, you should conduct regular health and risk check-ins on your wallets.

Webacy also offers a Risk Score feature. The Risk Score takes into account numerous data entries, including open approvals, interacted dapps, interacted wallet(s), and more. Webacy’s Risk Score is also integrated into the entire dashboard, and adds intelligence to Webacy’s other services.

If you want to learn more about Webacy or 3NUM, visit their websites at:

Webacy: https://www.webacy.com/

3NUM: https://www.3num.co/

Follow on Twitter:

3NUM: https://twitter.com/3numdao

Webacy: https://twitter.com/mywebacy