Defending against sim swap attacks

24 Oct 2023 20:46 | security

Although for most people it’s pretty unlikely, the thought of getting sim-swapped is pretty scary.

This is where an attacker manages to convince your mobile carrier to transfer your number to a new sim card that they control. When this happens your original sim card will lose service and they will obtain your number - and any SMS OTP codes it’s configured to receive.

Unfortunately despite many improvements in online security there are still several providers who either rely on SMS OTP or make it a mandatory fallback option if your primary OTP mechanism doesn’t work. You’re only secure as the weakest link and nothing will stop an attacker from using the fallback mechanisms if they can’t bypass your primary one.

As security paranoia is kind of my thing I was musing over how best to mitigate this and someone I work with had a great idea - use a second sim card for OTP codes. Modern smartphones with dual sim support make this really easy. Simply add your second number with a PAYG sim or similar and configure services to use it. It’s advisable to keep the number as secret as possible, only give it to websites that you really care about being secure and use your primary number for everything else.

It’s also a good idea to use e-sims if possible as these cannot be removed from a device and placed in another phone. If you have to use physical sims make sure you set a strong pin code.