Secuestro/intercambio de Sims
Page Article
A SIM card, also known as a subscriber identity module, is a smart card that stores data for GSM cellular telephone subscribers. Such data includes user identity, location and phone number, network authorization data, personal security keys, contact lists, and stored text messages. Your SIM card identifies your device when connecting to your cell network, but it also reveals your identity to various services.
SIM swapping is essentially the process of hackers activating your number onto a SIM card of their possession. The process helps them take over your phone number, so next time someone tries to access your online banking account, the cyber criminals are the ones receiving the verification passcode instead of you. This is usually effective when someone wants to reset your password or already knows your password and wants to go through the 2-step verification process. This is called SIM hijacking but is also known as SIM swapping and SIM hacking.
When you call your wireless carrier over the phone, the operator usually goes through a quick verification process with you. They often ask for your full name, address, phone number, DOB, and passcode or the last four digits of your social. All of this information has leaked at some point in the past so hackers might have purchased the data from the dark web or might have used other social-engineering ways to get the needed details.
Lo que podría estar en riesgo
- Access to online banking, investing, and other accounts
- Acceso a las cuentas de las redes sociales
- Acceso a su propiedad en línea (nombres de dominio, nombres de vanidad social, etc.)
- Acceso a las aplicaciones del teléfono
- Acceso a los contactos del teléfono
- Acceso a su información personal: nombre, dirección, fecha de nacimiento, etc.
- Mobile App Accounts. Use a 2FA option that isn't SMS-based, such as an authentication app on your smartphone. Using text messages(SMS) as a second factor is no longer considered safe. Criminals can bypass two-factor authentication by stealing your phone, phone sim card, or phone number to intercept those one-time verification codes sent to that mobile number by text, email, or phone call. You can go a step further by using a physical token or security key such as a YubiKey or a Titan Security Key, which connects to a computer via USB or wirelessly. You can set up these keys as the second factor for many services. Then when you log in you will have to provide your password and insert the token into your computer and press a small button on the key itself to log in.
- Extra security at your carrier. Proactively harden your account with your cell phone provider. Call their customer support line and inquire about additional steps that are available to ensure that even if someone has all of your information that another piece of information would be needed to prevent unauthentic requests. Ask them if they allow additional security questions or PIN code options for any changes to the account.
- Establece un código PIN para tu tarjeta SIM para protegerla en caso de robo. Tú (o cualquiera que tenga acceso a tu tarjeta SIM) tendrá que introducir este PIN cada vez que reinicies el teléfono o pongas la tarjeta SIM en un teléfono nuevo. Asegúrate de guardarlo en un lugar seguro y, si no recuerdas el código, no intentes adivinarlo, porque demasiados intentos fallidos pueden bloquearte la cuenta.
- Be vigilant in about communications you receive. Watch out for phishing attempts, alert messages from financial institutions, and texts in response to two-factor authorization requests.
- No vincules tu número de móvil a cuentas online. Una vez que los piratas informáticos roban tu número de teléfono, lo aprovechan para restablecer la contraseña de cualquier cuenta en línea que esté vinculada al número. En muchos casos, esto evita la autenticación de dos factores. Por eso, tener el control de un número de teléfono es tan poderoso. Evita utilizar tu número de teléfono móvil personal para todas tus cuentas. Utiliza números alternativos proporcionados a través de estas opciones para tus cuentas en línea, de modo que no estén directamente vinculadas a la tarjeta SIM de tu teléfono. Si es posible, elimine su número de teléfono de cualquier cuenta que pueda interesar a los hackers. Puedes seguir vinculando un tipo de número de teléfono a esas cuentas, pero te sugerimos que utilices un número de VoIP, como el de Google Voice, a prueba de secuestros de SIM. Por supuesto, también debes proteger este número, utilizando una contraseña única, una autenticación de dos factores en la cuenta y asegurándote de que no caduque si no la utilizas regularmente.
Immediate Actions to Stop SIM Swap Fraud
- Contact Your Mobile Carrier: As soon as you suspect a SIM swap (e.g., your phone shows "Emergency Calls Only"), contact your mobile service provider. Inform them about the potential fraud and ask them to deactivate the new SIM card that the hacker might be using.
- AT&T: 1-800-331-0500 or 611 from an AT&T mobile phone.
- Verizon Wireless: 1-800-922-0204 or *611 from a Verizon mobile phone.
- T-Mobile: 1-800-937-8997 or 611 from a T-Mobile mobile phone.
- Sprint (Now part of T-Mobile): For Sprint customer service, use the T-Mobile customer service number, as Sprint has merged with T-Mobile.
- U.S. Cellular: 1-888-944-9400 or 611 from a U.S. Cellular mobile phone.
- Change Online Account Passwords: Quickly change the passwords for your important online accounts, especially for banking, email, and social media. Ensure these passwords are strong and unique.
- Enable Non-SMS Two-Factor Authentication: Switch to app-based or hardware token-based two-factor authentication for all accounts that offer it, as SMS-based 2FA can be compromised in SIM swap attacks.
- Notify Financial Institutions: If your financial accounts could be compromised, inform your banks and credit card companies about the fraud. They can monitor your accounts for suspicious activities and replace your cards if necessary.
- File a Police Report: Report the incident to the police. This can be crucial for identity theft cases and may help in recovering any lost funds.
- Alert Credit Bureaus: Contact credit bureaus to set up fraud alerts or credit freezes. This prevents the opening of new accounts in your name.
Long-Term Recovery and Prevention Steps
- Review Account Activities: Regularly review your bank and credit card statements for any unauthorized transactions. Report any discrepancies immediately.
- Educate Yourself and Employees: If you're a business manager, educate your team about SIM swapping. Awareness can prevent such attacks from happening in the first place.
- Secure VoIP Numbers: If using a VoIP number like Google Voice for 2FA, secure it with a strong password and enable 2FA on the VoIP account itself.
- Regularly Update Security Information: Keep your security questions, backup email addresses, and recovery phone numbers updated and secure.
- Stay Informed: Keep abreast of new security threats and protection measures. Cybersecurity is an ever-evolving field, and staying informed is key to protection.