The Rising Threat of SIM Swapping: Implications for Business and Retail Security Systems and IoT Devices

SIM swapping, also known as SIM hijacking, occurs when a cybercriminal tricks a mobile carrier into transferring a victim’s phone number to a SIM card controlled by the attacker. ​Once in control of the phone number, the attacker can intercept SMS-based two-factor authentication (2FA) codes, access sensitive accounts, and potentially lock out the legitimate user. ​This can not only affect vulnerable users and employees but also affect a variety of IoT devices if they are not managed by sophisticated systems and secure network connectivity platforms.

Impact on Vulnerable Users

SIM swapping disproportionately affects older adults and those less familiar with cybersecurity practices. ​ According to the National Fraud Database, individuals over 61 years old accounted for 29% of account takeover cases in the UK. ​Vulnerable populations are often targeted due to:

1. Lack of Awareness: Many victims are unaware of SIM swapping and its consequences, making them easy targets for phishing and social engineering scams.
2. Emotional Manipulation: Fraudsters often use emotive tactics, such as posing as customer service representatives or family members, to gain trust.
3. Financial Losses: Victims can lose access to banking accounts, leading to unauthorised transactions and financial theft. ​
4. Privacy Breaches: Attackers can exploit sensitive personal information, causing emotional distress and long-term security concerns. ​

A Case Study: A retired 64-year-old in the UK fell victim to SIM swapping after receiving a call from a scammer posing as a major mobile network operator representative. ​The fraudsters hijacked his phone number, attempted unauthorised transactions totalling £4,259, and redirected his emails, leaving him feeling violated and helpless. ​

User Surveys also suggest that 94.2% of users set phone passwords, but only 10.6% enable their SIM PINs.

Bypassing Multi-Factor Authentication (MFA) ​

SIM swapping enables attackers to intercept SMS-based authentication codes, allowing them to bypass Multi-Factor Authentication (MFA) protocols. ​This is particularly dangerous for businesses that rely on SMS for account security, as attackers can gain unauthorised access to sensitive systems. ​

Social Engineering Attacks ​

Cybercriminals and groups often combine SIM swapping with social engineering tactics to deceive IT help desks into resetting passwords or granting access to corporate networks. ​For example, attackers impersonate employees and use stolen phone numbers to authenticate their requests. ​

Resulting Data Breaches

Such forms of SIM swapping can lead to significant data breaches as they can open up employee accounts to unauthorised access. ​Attackers may extract sensitive information, such as user credentials, customer data, or financial records, from these compromised systems. ​For instance, a recent cyberattack on a major UK retailer exposed personal data of up to 20 million members. ​

Operational Disruptions

Businesses can face severe operational disruptions due to SIM swapping attacks. Recently victims of retail cyber attacks experienced system outages, product shortages, and payment failures, resulting in significant financial losses and reputational damage. ​

IoT systems that rely on SIM cards for connectivity can be vulnerable to SIM swapping. ​Attackers can hijack IoT devices, intercept data, or disrupt operations, posing risks to industries such as utilities, transportation, and healthcare. ​

Impact on IoT Systems

IoT devices extensively use IoT SIM cards for identity verification and data transmission. ​SIM swapping has the potential to compromise these systems in several ways:

• Unauthorised Access: Attackers can hijack IoT devices by gaining control of or stealing their IoT SIM cards, enabling them to intercept data or manipulate device functions if they are not protected by IoT network security systems. ​
• Data Theft: Sensitive information transmitted by IoT devices, such as GPS data or sensor readings, can as a result be intercepted and exploited.
• Operational Disruption: Critical and dispersed IoT systems, such as smart meters, payment terminals or vehicle trackers, can be rendered inoperable, affecting business operations and customer services. ​

Employee Training

• Regularly train employees to recognise and respond to social engineering attempts. ​
• Educate staff on the importance of safeguarding credentials and reporting suspicious activities. ​

Enhance Authentication Methods ​

• Transition from SMS-based MFA to more secure alternatives, such as authentication apps, hardware tokens, or biometric verification. ​
• Implement mutual Transport Layer Security (TLS) authentication for IoT devices to ensure secure communications. ​

Strengthen IT Support Verification ​

• Establish stringent verification processes for IT help desks to confirm employee identities before executing sensitive actions like password resets. ​
• Use multi-layered authentication methods for privileged accounts.

Collaborate with Critical IoT Connectivity Providers ​

• Work closely with critical IoT connectivity providers to establish protocols that prevent unauthorised SIM swaps. ​
• Request alerts for unusual activities, such as SIM swap requests or changes in device usage. ​

Implement SIM Locking and Device Binding ​

• Bind IoT SIM cards to specific devices using IMEI (International Mobile Equipment Identity) locking to prevent their unauthorised use in other devices. ​
• Consider using embedded SIMs where applicable (eSIMs) for IoT devices, which are harder to physically swap. ​

Secure Your IoT Systems ​

• Use private Access Point Names (APNs) or Virtual Private Network (VPN) tunnels to isolate IoT traffic and control access tightly. ​
• Implement server-side device ‘allow-listing’ to ensure only authorised devices can connect to the network. ​

Encrypt Communication Channels ​

• Encrypt communication between IoT devices and servers to prevent eavesdropping and spoofing. ​
• Use selective encryption for sensitive Application Protocol Data Unit (APDU) traffic in IoT SIM-based systems. ​

Monitor for Unusual IoT Device Activity ​

• Use sophisticated IoT Connectivity Management Platforms to detect anomalies in user behavior or access patterns, such as IoT SIMs connecting from unexpected locations or devices. ​
• Make use of IoT network-level monitoring services to flag suspicious activity related to SIM cards. ​

IoT-Specific Protections

IoT systems can implement additional safeguards, such as:

• Geo-Fencing: Monitor for unusual device activity based on location data. ​
• Behaviour Monitoring: Flag anomalies in device usage or connectivity patterns. ​
• Implement ‘allowed-lists’ or VPNs for vulnerable users and lone-worker systems so that SIM swappers cannot use authorised critical systems to contact end-users.

SIM swapping is a growing threat that poses significant risks to business security systems and IoT devices. ​By understanding the vulnerabilities associated with SIM swapping and implementing comprehensive mitigation strategies, businesses can protect their operations, customer data, and IoT systems from sophisticated cyber threats. From enhancing authentication methods to collaborating with critical connectivity providers, proactive measures are essential to safeguard against this evolving menace. ​

Businesses and IoT operators must prioritise security by adopting advanced technologies, training employees, and collaborating across sectors. The fight against SIM swapping requires vigilance, innovation, and a commitment to protecting sensitive systems and data.

CSL Group are world leaders in secure communications and IoT systems for retailers, businesses, enterprises, telecare, and lone-worker devices. Please contact us to discuss your specific security requirements and speak to one of our experts.