Beware of SIM-Jacking: Losing Access to Your Phone is an SMS Away


You get a ping on your phone, which is for an SMS that has the one-time password (OTP) to verify an online payment. Till now, experts have claimed that SMSes are hack-proof because they’re not on the internet.

However, it seems hackers have a found a way around it as well, and it’s called SIM-jacking. It’s similar to how hijacking works, except in this case, a person loses control of his/her phone.

The trouble is, they don’t even realise when this happens.

Read below to know everything about SIM-jacking – the latest form of digital attack – and what you can do to safeguard yourself from it.

What is SIM-Jacking?

To make you understand the attack in a simplified manner, folks at Adaptive Mobile Security have done their best with this report, highlighting all concerns and ill-effects.

According to them, the SIM-jacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the UICC (which is the SIM card) within the phone to “take over” the mobile phone, in order to retrieve and perform sensitive commands.

For this, the attacker, via the SMS (as seen above), gets access to the device location, and importantly the Cell-ID as well. With this, your device has been officially jacked by the attacker. The trouble is, you wouldn’t even know about all this, and won’t get any alerts of a possible mishap either.

After this, the attackers now have access to your phone number, and the first thing they target is the mailing account, which is usually via Google in most cases. They try to login and if they are not able decipher the password, they resort to using the ‘recover password’ option via OTP received on your number, to get access to all your mails.

Attackers Know Everything About You

The most high-profile SIM-Jacking attack to occur recently, is of Twitter founder Jack Dorsey, whose account was hacked by a group called ‘Chuckling Squad’ a few weeks back. Responding to the misadventure, this is what Twitter highlighted as the issue:

This ‘security oversight’ was nothing but a SIM-Jacking (also known as a SIM Swap) attack on Dorsey.

It’s worth noting these attacks primarily happen because most of the information on almost every person on the internet is easily available to anybody who’s looking for it. And these attackers make sure they have all the information they need of their intended target.

They send phishing mails which look legitimate, asking people to share confidential details that usually no company executive is supposed to ask.

With all this data, they call up the customer support for the mobile provider, impersonating the original owner, and coaxing the mobile provider to issue a SIM on the pretext of losing/damaging it.

By answering the security questions, they manage to get the new SIM and its number activated. This ensures, the original owner of the phone number loses access to his/her connection.

How Can You Avoid Getting SIM-Jacked?

What can you do to prevent this kind of attack on your phone?

Well, according to most experts out there, this attack is hard to track for now, which means, every user needs to be extra careful of using their mobile number, how to interact via SMS and how they keep all digital accounts secure.

Also, it’s worth pointing out that users should ideally fool-proof their security measures with telecoms as well. Which ensures, that no matter how much information the attacker has one you, it won’t be enough to get a new SIM issued on your number.

Some Security Measures

  • Call your telecom provider and check if they offer an extra password lock option to keep you alerted of such mishaps
  • Keep a regular check on mails for any ‘device/account access’ message, which wasn’t operated by you.
  • Do not save confidential passwords, PIN numbers on mail
  • Do not click on URL, website links that look suspicious (for this, make use of spam/phishing warning available on Gmail)
  • Set passwords that are not 1234, or your date of birth to avoid easy intrusion of digital accounts.

But here’s some good news, the GSM Association (GSMA), which represents global telecom operators, has been informed about this attack.

Telcos and back-end technology providers have been asked to tweak their security parameters to prevent SIM-Jacking from becoming a bigger menace.