SIM cards, the interchangeable, fingernail-sized cards that give a phone its phone number, are on the way out. An increasing number of devices support eSIMs, or embedded SIMs. What’s the difference? A SIM card contains a software configuration that lets a phone communicate with a mobile network. But that configuration doesn’t have to be written to a small card that needs its own real estate inside an already jam-packed phone.
Instead, phone manufacturers can solder a rewritable SIM chip into a device. Mobile providers can upload an eSIM configuration over the internet to a subscriber. It’s more convenient for phone users and providers. For example, before traveling to another country, it’s possible to buy an eSIM and a data and call package before ever leaving. On arrival, the phone has a native number, and there’s no need to hunt for a local SIM card. Also, some devices support having two active phone numbers - one on a physical SIM and one on an eSIM - at the same time.
For mobile providers, eSIMs can be provisioned through an app or their own self-service portals. If a user’s phone becomes damaged, the user could log on and provision themselves a new eSIM to a new device. A QR code with the link to new eSIM configuration can be sent to an email account, and the transfer can be done in just minutes. But online self-service and the speed at which numbers can be transferred raises questions about how fraudsters might be able to intercede.
Number hijacking, sometimes referred to as SIM swapping or port-out fraud, has been a persistent problem. The U.S. Federal Communications Commission maintains there are “significant security benefits” to eSIMs. With this in mind, Intel 471 looked at some of the dynamics around eSIMs and SIM swapping.
SIM swapping for Account Takeover
SIM swapping occurs when cybercriminals trick employees of a mobile provider into transferring someone else’s number to a SIM card they control. They can accomplish that by social engineering. Also, fraudsters have bribed or otherwise co-opted telco employees to help them. The techniques have been employed by threat actors such as LAPSUS$ in order to take over employee accounts at companies. Although providers have put in place new security protocols ranging from personal PINs to tighter customer verification, SIM swapping will almost certainly still occur.
With control of a number, fraudsters can intercept one-time passcodes (OTPs) used to log into online accounts. Successful SIM swaps have resulted in raided cryptocurrency accounts and staggering losses. Sometimes, possession of a phone number may be enough to reset passwords for other online accounts as well, increasing the overall threat SIM swapping poses.
Similar to physical SIM cards, the risks of SIM swapping with eSIMs depend on the security protocols set up by mobile providers. After waves of SIM swapping attacks, regulators in the U.S., Australia and elsewhere have looked to make mobile providers strengthen their verification procedures prior to porting numbers while also ensuring customers are promptly informed of account changes.
Many mobile providers have online instructions for provisioning an eSIM or for switching from a physical SIM to an eSim. In some cases, an eSIM may be transferred from one iPhone to another without contacting a mobile provider at all. That seems risky, but it’s actually more secure. The eSIM is protected by the device’s passcode and can’t simply be popped out of a stolen phone into another one.
Intel 471 looked at one provider’s procedure for setting up an eSIM via its mobile app. Before issuing the eSIM, the provider would send a six-digit code over SMS, which then had to be entered into the app to proceed. This is prudent since it verifies that the person requesting the number port already controls the number. However, the interface also allowed someone to get the code via email, which does open up possibilities for fraud.
If a cybercriminal had the victim’s mobile app credentials, the cybercriminal could log into the victim’s account and choose to receive the code via email. If the cybercriminal also had control of the victim’s email account, which is not unheard of given the market for stolen credentials, the number could then be ported. Interestingly, that particular provider no longer allows the code to be sent over email. But that email verification method is used by other providers, and it’s fine with regulators as it’s better than not verifying at all.
As people are likely to be requesting a new eSIM because they’ve lost or damaged their phone, it’s somewhat of a conundrum for mobile providers to try to verify someone by sending a code to the phone when the phone doesn’t work. Some other providers have restricted eSIM swaps to in-store visits or over the phone.
In-store visits would require showing ID. A phone transaction, however, may offer more opportunities for fraudsters to social engineer a mobile provider’s customer service representative. This is particularly true since many of the identification questions revolve around static data that may have been leaked in a data breach.
Determined cybercriminals skilled at social engineering will be able to make headway despite security controls. But the risks aren’t necessarily greater with eSIMs over physical ones.
Port-Out Fraud Defenses
There are ways that people can reduce the risk of a successful port-out. The biggest source of risk for port-out fraud are malicious insiders at mobile providers, as they have access to internal systems and may be able to override security protections. That risk is the hardest one to mitigate.
Mobile providers typically let customers set a PIN or passcode that must be given to one of their employees before account changes can be made. Although there was one extraordinary case where that didn’t stop cryptocurrency fraud, it’s a recommended safeguard.
There are also ways to mitigate the follow-on effects of an unauthorized number port. For sensitive online accounts, it may also be prudent to not allow an account recovery process that uses a phone number. For cryptocurrency accounts, it might be wise to have a completely separate phone number and unique email address just for the account, which are used for no other purposes. Also, multi-factor authentication (MFA) over SMS has long been recognized as a weak point; app-based generators are the secure way to go.
Lastly, it’s important to stay on guard for social engineering ploys over the phone or email asking for personal information, one-time passcodes or other sensitive data, which no credible service provider would request.