SIM swapping has become much simpler with the advent of virtual eSIM cards. Hackers use this technique to recover your phone number and access your accounts, including bank accounts.
If the SIM card still remains the standard, French operators have for several years been offering their customers the option of eSIM – provided they have a smartphone compatible with this technology. This is a miniaturized version of the traditional SIM card directly soldered to the motherboard which allows manufacturers to do without the SIM card drawer – and therefore save space for components. It also allows operators to modify the information written on it more easily and remotely, which is not without risks. It didn’t take long for cybercriminals to see a great hacking opportunity and set up a new type of scam called SIM swapping. The Russian cybersecurity firm FACCT has spotted a sharp increase in these types of attacks at the moment. “Since the fall of 2023, FACCT Fraud Protection analysts have recorded more than a hundred attempts to access the personal accounts of customers of the online services of a single financial organization”, she explains. In the majority of cases, the goal is to empty the victim’s bank account.
SIM swapping: much simpler hacking with eSIMs
Previously, SIM swappers used social engineering, through phishing attempts, or worked with people in cell phone carrier departments to take over a target’s number. However, as companies have implemented more protections to thwart these hacking attempts, cybercriminals have adapted their methods, exploiting new technologies. They are now breaking into their victim’s mobile account using stolen, brute-forced, or leaked credentials. Once connected, they initiate the transfer of the number to a new device equipped with an eSIM. They then generate an activation QR code which they scan with their own smartphone, thus hijacking the number. At the same time, the rightful owner has their eSIM deactivated.
Once they have access to the victim’s phone number, cybercriminals can use the line to carry out phishing campaigns and thus obtain valuable personal and banking information, which they can resell on the Dark Web. They can also use it to unlock access to certain sensitive services – such as the banking application – or for remote purchases through double authentication. They may also have access to accounts linked to the eSIM card, which opens up other opportunities for fraud, for example by pretending to be the victim and tricking their loved ones into sending money. Suffice to say that the financial losses can quickly turn out to be quite significant… Another method: making premium rate calls to numbers they have created, which can result in a telephone bill of several hundred euros for the victim.
To defend against eSIM swap attacks, it is best to use complex and unique passwords for your mobile operator and online accounts. It is also better to systematically activate double authentication. Finally, for banking and financial accounts, it is better to opt for physical keys or two-factor authentication applications. Obviously, you must remain vigilant against phishing attempts and never give out your credentials.