The Ontario Provincial Police say that incidents are being reported.  “Fraudsters may empty your bank accounts, apply for credit in your good name, or impersonate you.  In the meantime, you lose access to your mobile service, are typically locked ou of your accounts, and are left scrambling.”

 

What is SIM Swapping?

SIM swapping is an attack in which your phone number is essentially stolen and attached to a different phone.  The attacker will impersonate you and call your mobile service provider to report a lost or stolen phone, then link your phone number to a new SIM card and device that they control.

Once the attacker has your information attached to their device, they can start gaining access to your other internet accounts.  They do this by “recovering” access to accounts (e.g. Google) by having password resets to the device.

How do you know if you’ve been SIM-swapped?

  • You will suddenly and unexpectedly have NO cell reception.  
  • If you are connected to Wi-Fi, you may receive emails from your phone carrier or password reset emails from various services.
  • On an Android phone, you may have “this account was added to a new device” notification.
  • On iOS or your Mac computer, you may have a “are you attempting to log in from X?” Where X is a geographic location such as Vancouver, BC.

What happens once they have your SIM?

The attacker starts “recovering” access to your accounts one-by-one, gathering data, personal information, passwords, and a list of products or services that you use.   I work with a number of companies and startups that use Google G Suite as their core suite of applications and cloud storage.  Here’s a short list of what an attacker could do:

  1. An attacker successfully gets your phone number on their device, allowing them to receive all of your incoming text messages and phone calls.
  2. The attacker attempts to log in to your primary Google account and clicks “Forget password?”
  3. The attacker can then click “try another way” and get a verification code sent to your phone number (which is now on their device).
  4. The attacker receives the message and resets your password and gains access to the Google account.

Now that the attacker has full control of your Google account, they can start resetting the passwords for your other business apps and accounts by having the new passwords sent to your email which they now control.  Take a minute and think about everything that is linked to your email.  

As a small business owner or startup, your email may not be your highest value asset.  If you use Google Chrome as your browser of choice, there is a great deal of information that can be harvested if you save information:

  • They can see all of your saved passwords by typing chrome://settings/passwords in the browser
  • They can see all of your bookmarks (which could give away all of the sites/apps that you use frequently) 
  • They can see your methods of payment: chrome://settings/payments

With G Suite as your primary solution, the attacker can access critical information throughout the apps.

Just think what you have stored in your Google Drive.  Do you have any scanned documents stored there such as your articles of incorporation?  Your banking information?  Your passport?  

What information do you keep in your Google Calendar?  Upcoming flights?

They can access all of your Hangouts messages.  

They’ll also be able to see all of your notes in Google Keep.  Do you store passwords there?

They’ll be able to log in and sync their Chrome browser to your Google account, giving them access to all Chrome extensions you have installed.

If you are using Google sites, they have access and the ability to edit, or redirect your domains.  They could also edit your websites.

And finally they will be able to access any sites that you use the “Log in with Google” button to log in to.

As a startup or business owner that uses G Suite as your core application suite, you can see how critical it is to secure your Google accounts and how everything is so interconnected and how your mobile device is the key to it all.  In future posts, I will outline what to do fall victim to SIM-swapping.