Defending against sim swap attacks

24 Oct 2023 20:46 | security

Although for most people it's pretty unlikely, the thought of getting
sim-swapped is pretty scary.

This is where an attacker manages to convince your mobile carrier to transfer
your number to a new sim card that they control. When this happens your original
sim card will lose service and they will obtain your number - and any SMS OTP
codes it's configured to receive.

Unfortunately despite many improvements in online security there are still
several providers who either rely on SMS OTP or make it a mandatory fallback
option if your primary OTP mechanism doesn't work. You're only secure as the
weakest link and nothing will stop an attacker from using the fallback
mechanisms if they can't bypass your primary one.

As security paranoia is kind of my thing I was musing over how best to mitigate
this and someone I work with had a great idea - use a second sim card for OTP
codes. Modern smartphones with dual sim support make this really easy. Simply
add your second number with a PAYG sim or similar and configure services to use
it. It's advisable to keep the number as secret as possible, only give it to
websites that you really care about being secure and use your primary number for
everything else.

It's also a good idea to use e-sims if possible as these cannot be removed from
a device and placed in another phone. If you have to use physical sims make sure
you set a strong pin code.