Our mobile phone numbers have become a de facto form of identification, but they can be hijacked for nefarious purposes. Just such an attack may have been involved in the recent very damaging cyber-attack on Marks & Spencer (M&S).
Authors
- Alan Woodward
Professor, Department of Computer Science, University of Surrey
- Daniel Gardham
Lecturer in Secure Systems, University of Surrey
The hack happened in April and forced M&S to stop taking online orders. It also caused disruption to some of its stores. The company has said that its online business could be disrupted into July and could result in an estimated £300m hit to profits.
The M&S incident is being widely reported as an example of what is known as "sim swap". It's a form of fraud that is on the rise and understanding how to protect against it will help limit its impact.
Our mobile numbers are unique and we have them for years. This means that users generally want to keep hold of their number when they change they phones, or lose them. When a user buys a new phone, or just a new sim card for a spare device they might have, they might call their service provider to transfer their longstanding mobile number to the new sim card.
Get your news from actual experts, straight to your inbox. Sign up to our daily newsletter to receive all The Conversation UK's latest coverage of news and research, from politics and business to the arts and sciences.
The problem is that the service provider doesn't know if it is really them calling to transfer the number. Hence, they launch into a series of questions to make sure they are who they say they are.
But what if someone else has the answers to the questions the service provider asks? Is your mother's maiden name or that of your first pet really that secret?
Easy pickings
The rise of social media has made it easier than ever for scammers to piece together what was once considered private information. But this might not even be necessary. What if the service provider simply takes pity and falls for a tale of woe as to why you need to transfer the number but cannot remember an answer?
Suddenly, someone else can make and receive calls and SMS messages using your number. This means they could make calls at your expense. However, it might seem logical that as soon as the service provider is informed of this, the provider should be able to stop it, and is likely to refund any fraudulent charges.
However, there's a catch. Remember when you created your email, bank account or even online grocery shopping account and you were encouraged to set up two-factor authentication (2FA) ? You listened, but the system set your "second factor" as your mobile phone number. You input your username and password, and it asks for a time-limited code that it sends to you as an SMS message.
If someone has managed to obtain your login username and password, typically through a phishing email or even a data breach, and they have control over your phone number, they now have everything they need to login to your account.
This so-called sim-swap fraud is complex to pull off, but it is on the rise. Attacks rose by 1,055% in 2024, according to the National Fraud Database , and it has allegedly been used in many high-profile hacks such as that of former Twitter CEO Jack Dorsey in 2019.
Effective counter-measures
It is often used to target users who have high system privileges that gives them to access to systems that most users don't have permissions for. Imagine such a sim swap was carried out on a system administrator. These are the very people who set and reset passwords, grant access to computer systems and, most dangerously, can upload further software to the network and its attached systems.
This has proved such a useful hack that some services are switching to sending that time-limited code to you to messaging services such as WhatsApp. However, this approach is not foolproof, and so there is a rising adoption of authentication apps, which display a synchronised code that matches one held by the service to ensure authenticity.
Nothing is 100% secure, and the security of authentication apps, assumes that you have a separate, strong password to prevent those who have stolen your phone number from accessing these authentication checks.
Efforts to improve login security have led to the rise of what are known as passkeys , which are long sequence of random digits called cryptographic keys that are stored on your device, such as a smartphone or computer. It is only shown to your online account when you unlock your phone.
A key step in authentication is therefore the method the person uses to access their device. This could be a biometric authenticator like a fingerprint or face scan, or a screen lock pin number. Passkeys are more resistant to phishing attacks and data breaches than traditional passwords.
So, the next time you phone your mobile service provider and they insist on asking a host of questions to prove your identity, don't complain, just think what could happen if they didn't do sufficient checks and someone carried out a sim-swap scam on your number.
The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.
