Cybercriminals known as SIM swappers are employing a new tactic to steal phone numbers by transferring them to a new eSIM card, a digital SIM stored in the chip of modern smartphones. This shift allows attackers to remotely reprogram and provision eSIMs, presenting new challenges for users and security experts alike.
eSIMs serve the same function as physical SIM cards but offer the advantage of remote reprogramming and provisioning. Users can add an eSIM to their device by scanning a QR code from their service provider, eliminating the need for a physical SIM card slot.
The adoption of eSIM technology is growing, especially among smartphone makers, as it enables cellular connectivity in small wearables and eliminates the need for physical SIM cards. However, this convenience comes with new security risks.
Russian cybersecurity firm has observed a rise in SIM swappers exploiting eSIMs to hijack phone numbers and gain unauthorized access to bank accounts. These attackers manipulate the function of replacing or restoring a digital SIM card, transferring the victim’s phone number to their device with an eSIM.
Previously, SIM swappers relied on social engineering or insider assistance from mobile carriers to port a target’s number. However, as security measures improved, attackers turned to exploiting vulnerabilities in new technologies.
Now, attackers breach a user’s mobile account with stolen credentials and initiate porting the victim’s number to another device by generating a QR code through the hijacked account. By scanning this QR code with their device, attackers effectively hijack the phone number, while the legitimate owner’s eSIM/SIM is deactivated.
With access to the victim’s phone number, cybercriminals can intercept access codes and two-factor authentication messages, gaining access to various services such as banks and messaging apps. This access opens up opportunities for fraud, including posing as the victim to scam others.
To safeguard against eSIM-swapping attacks, enable two-factor authentication (2FA) on all your accounts that support it. Use complex and unique passwords for your cellular service provider account and other sensitive accounts. Consider using physical security keys or authenticator apps for additional protection, especially for e-banking and e-wallets.