SIM Swapping Attacks And CUI

Common Thought Process:

We implemented Multi-Functional Authentication (MFA) with compliant security safeguards, and our job here is done. 


Wait, not so fast. Have you heard about SIM swapping attacks? It is not new, but it is certainly on the rise and making headlines. SIM swapping can be an absolute nightmare! Know how to protect yourself against SIM swaps not only helps you protect your CUI but also your company, yourself and your employees.

Not all two-factor authentication is created equal. Nefarious actors know that in many cases, MFA is tied to a person’s cell phone and these actors have come up with ways to identify your phone number and gain access.

How SIM swapping works

In one common scenario, a bad actor may contact your mobile phone carrier and trick them into activating a SIM card using your number. So much of our personal information is available on the web. How many times have you googled yourself? If you have not done this, you may be surprised by how much information is out there. LinkedIn posts frequently include contact information and, if you are a small business, your work number may be your mobile number. Worse, if you are known to have contracts with the government, such information is even more likely to be tracked by bad actors. Social media posts with photos and memories may reveal additional information regarding places you have lived in the past as well.  There are multiple personal search engines that specialize in collecting and managing personal data including your phone numbers, date of birth, home addresses and associations. All of these types of common data may be used to impersonate you, including being enough to trick your mobile carrier into giving you a new phone with a brand-new SIM card that ensures once activated, you are obliviously cut off trying to figure out how your phone just became an expensive little brick.

This is just one example but there are multiple ways to launch this type of an attack and it is important to protect yourself and your employees, especially if you are counting on mobile phone access for necessary multifactor authentication. 

How SIM swapping could potentially affect your organization and CUI

If an attacker’s recon was thorough enough to learn how to obtain a user’s company account identifier, their password, and glean that Multi-Factor Authentication is provided via SMS, that attacker could try to exploit that potential vulnerability. By SIM swapping and stealing that user’s cell number, the attacker could potentially authenticate to the company’s cloud instance where CUI is stored, the MFA via SMS would be routed to them. 

In a scenario, let’s pretend a dubious actor, ‘Pinky’, has been shoulder-surfing and eavesdropping on conversations held by ‘Aloof DIB Employee (ADE)’ for a few days at an open WeWork location. Pinky observes from shoulder surfing that ADE designs technical drawings for military aircrafts. Pinky sits at the next table and pretends to be reading something on her phone while she is actually videotaping ADE logging in so that she can study the video and identify ADE’s keystrokes during authentication.  Also observes that MFA is sent over text via SMS. Pinky then started acting a little flustered, looking in their bag, her pockets, behind their laptop and with a sigh. She peers over to ADE, apologizes for disturbing them and asks if they let her borrow their phone to call her mom. She meant to tell her she was running late working on a class project and didn’t want her to worry. ADE was a helpful guy and didn’t think much of it and let her borrow his phone. Pinky thanks him profusely, turns back around and sends a text to herself from ADE’s phone, then deletes the text. Pinky also navigates to settings to gather the cellular phone carrier information. Then Pinky made a quick call to local library and hung up. Returning the phone back to ADE, Pinky said her mom didn’t pick up and said she would just need to head out but thanks him again for his help. 

Pinky leaves and heads out to the cellular company store and successfully social engineered a worker into letting her purchase a new phone with ADE’s number, deactivates the old phone and activates the new one. Once situated to a new location, Pinky navigated to the Cloud service provider, hoping no device identifier or authenticator was enforced, enters ADE’s account login name and password into the authentication landing page, and receives the SMS authenticator code. She is in and can start downloading files until her dubious little heart’s content.

How likely is this scenario to happen or occur? The more important the information is to the nefarious actor, the more likely it is that they will go to great lengths to get the information. The bad actor is more likely to be successful if they have also collected additional details about their target on the dark web. A number of breaches have taken place lately that include theft of social security numbers. Having that information as well increases the likelihood of successfully social engineering the phone carrier. 

What damage could occur if your company’s social media accounts are impacted from a SIM attack?  The U.S. Securities and Exchange Commission recently had a breach and reported that a SIM swap attack was to blame for its official account on X, in which the hacker obtained access to the @SECGov on X, using a phone number associated with the @SECGov account through a third party. In this instance, two-factor authentication was not configured. Multi-factor authentication configured with an authentication application synced to the device, token, or biometrics, provides a higher security mitigation. An attacker can’t intercept calls or texts when MFA is configured to enforce a more restrictive security setting.

How does this example relate to you and your company in the Defense Industrial Base?

If your company’s social media account is compromised, this could lead to false company information being posted, loss of intellectual property and sensitive data, loss of reputation, and more. The damage to your company’s reputation could prevent you from successfully winning contracts with the Department of Defense. 

Now, how about you and your employees? How can you protect yourself and your employees from personal financial ruin or hardships? First, bring awareness to your employees and inform them about how they can protect themselves. To ensure employees don’t just skip or skim enterprise email of security awareness news, briefly bring awareness to how this attack could affect what’s most important to them and their loved ones and their savings during meetings. 

A headline in a Washington D.C. area news network highlighted that a person lost $17,000 in mere minutes via a SIM card swap scam despite having two-factor authentication. The scammers tricked the carrier, stole the victim’s phone number, and used the phone number’s two-factor authentication to successfully steal money from their Bank of America account. 

If the target had set up a strong PIN with their carrier to prohibit any account changes, this might have potentially prevented this attack and reduced the likelihood of the target losing money and then spending months working on filing a claim for reimbursement.

In addition to providing awareness to your employees and how they can protect themselves and their loved ones (which would inadvertently add another side-channel layer of protection for your company that may handle and protect CUI), it is also important to direct your IT security team to add additional layers of protections.

In summary, here are some helpful tips to avoid becoming a victim of SIM Swap attacks:

  • Use authenticator applications, hardware tokens, or biometrics (e.g., fingerprint or face scans).
  • Set up a PIN with your carrier (or switch carriers if your current carrier doesn’t support this) and do not make your PIN something obvious (birthdays, anniversary dates, zip code numbers, etc.) or something you have used elsewhere.
  • Be mindful of the data you share online; think of privatizing personal social media accounts.
  • Understand phishing techniques; don’t click on links from email addresses you don’t know or people you don’t know – learn how to spot those phishing emails.
  • Use caution when working in public spaces and don’t use public wifi.
  • Keep in mind that compliance regulations are designed to help support better cyber security and choose controls that are effective at providing the intended protections rather than just trying to check a compliance box.

Below are some helpful resources and headline articles:

SIM swapping attacks are a growing threat, especially for organizations handling Controlled Unclassified Information (CUI) and working towards CMMC compliance.

Coalfire Federal’s CMMC Advisory Services can help you:

  • Scope your CUI with a CMMC CUI Boundary Analysis.
  • Close security gaps to prevent unauthorized access to CUI.
  • Ensure you are prepared to meet CMMC requirements and reach certification.

Talk to a CMMC expert today to learn more about our CMMC Advisory Services.

About the author

Brie Taylor

Senior Consultant

Brie Taylor is a cybersecurity leader with over 12 years of experience in the private and public space. She excels in training, planning, implementing, executing, and monitoring complex risk assessments with multidisciplinary teams, specializing in NIST, RMF IV&V, CobiT, FISMA, and FedRAMP compliance.

She has led various technical and policy-based assessments and consulting services of web applications, general support systems, major/minor applications, Cloud, network and infrastructure development, using various NIST standards and OWASP in identifying vulnerabilities and mitigating security risks.

She joined Coalfire Federal in 2020 within the CMMC Compliance, Assessment, & Certification (CAC) team and continues to be an enthusiastic, experienced professional and strong performer who embraces challenging situations, demonstrates flexibility through adapting to ever-changing client engagements, and consistently strives to exceed expectations. From her experience, performance, and professionalism, she was selected to partake in the first joint surveillance voluntary assessment (JSVA) conducted by Coalfire Federal.