It has already become somewhat of a routine to protect social network profiles, personal photo logs, smartphones, PCs, bank accounts and many other assets. But what we seem to be forgetting about is one little thing that, to an extent, is responsible for keeping all of the above safe. SIM cards are often the last, and the least protected, line of defense on the path to our critical data and money.
So why is a SIM card so important? The answer is quite simple: this tiny piece of plastic with a microchip soldered on it, carries some information like contact lists and service data, but also – and this is of paramount importance – it stores your phone number.
Today two-factor authentication, which has become increasingly widespread, frequently depends on one-time codes sent through SMS messages. That said, it is a kind of key to many, if not all, doors of your digital life: social network profiles, online service credentials and even web banking. Like the robustness of an entire chain is defined by its weakest link, the safety of personal data is defined by how well your phone number – meaning SIM card – is protected against unsolicited access.
Many websites, including Facebook and Gmail and almost all web banking services, offer additional access protection by linking a mobile phone number to the account so that you can get one-time passwords via text messages.
According to settings and the user’s preferences, such passwords can be used both to access your account, and to change a password and confirm transactions. What this means for you is that if a culprit manages to crack your primary password, he would not be able to authorize access as he wouldn’t be able to get the one-time code anyway.
— Eugene Kaspersky (@e_kaspersky) June 10, 2014
This authentication approach can be considered one of the most robust ways to protect your online assets, yet it also has a flaw: it relies on the condition that only the legitimate owner has access to a mobile phone which, in reality, could be stolen or used inappropriately by an outsider.
So what happens if your phone, or SIM card itself, ends up in someone else’s hands?
A #SIM card used in your smartphone can contribute to the loss of money and personal dataTweet
The worst scenario is losing a smartphone together with your banking information included. Having laid his hands on this “super-bundle”, a culprit could fleece you of all of your money in an instant. Lately, the option of direct card-to-card transactions has gotten so widespread that even this blunt way to transfer money from your cards is easily used.
Purchasing goods online using your cards is even easier. For such operations, one would simply need card credentials and a one-time code sent to the phone number tied to the card. That means that your primary password to an online bank, however sophisticated and reliable, just won’t be needed. The code you use to unlock the home screen of your smartphone wouldn’t even be of use either: it is enough to insert your SIM card into another device and receive the messages that were intended for you.
Theoretically, the illegitimate transaction can be disputed with the bank. But it may be challenging: the bank would be pretty much assured that it was you who shopped, and this is not easily overturned.
A less damaging scenario is the loss of solely the phone. A criminal would have to work harder in order to get to your money, but in this case he has virtually no obstacles in accessing your personal data on a variety of online services. It is quite simple: resetting the passwords to a number of websites requires just a confirmation code sent to your phone.
Even the laziest hackers who happened to obtain your phone or SIM card, might at least try to receive some donations from your contact list by mass messaging your friends and family with pleads for money for emergency reasons. These ‘no-time-to-explain’ text frauds are quite efficient even when sent from unknown contacts, let alone if they come from a person you know.
"Five lessons I’ve learned from having my credit card hacked" https://t.co/TQHBbK0Oqw
— Eugene Kaspersky (@e_kaspersky) November 13, 2014
However, you do not have to lose your phone completely in order for criminals to take advantage of your financial data – they are good to go with only temporary access to your SIM card. Even just several minutes can be enough to hijack an SMS message containing a one-time password to execute a transaction through your Internet banking service, or mail a malicious link to your contact list.
So when you get your phone back, there is a definite chance that the whole incident could escape your attention. Thus, the temporary loss of a SIM card might cost you money and a number of petty troubles.
One method for protecting yourself from the consequences of losing your SIM card is very simple: enable a PIN code for a SIM card and make the code considerably sophisticated (basics like 0000 or 1234 are a bad idea). This way, no one would be able to use your phone number either on your device or any other phone.