Warning: This README is provided for educational purposes only. Please ensure you have authorization and are following applicable laws and guidelines.
This guide outlines how to perform a SIM swap when you have physical access to a device. These steps can be helpful in cases such as assisting users in regaining access to their own phone number or in troubleshooting SIM-related issues with carrier support.
- Carrier Information: Determine the mobile carrier for the phone number, which is often listed in the phone's settings or on the SIM card.
- Customer Service: Contact the carrier’s customer support department and explain the purpose of the SIM swap, confirming that you have authorization and the necessary device details.
Carriers typically require the following:
- Account Holder ID: A government-issued ID or other verification from the account holder.
- IMEI Number: The phone’s unique identifier, which can be found in the phone’s settings or by dialing
*#06#. - Proof of Ownership: The account holder may also need to provide account PINs, passwords, or answer security questions.
After authorization, the carrier will assist in transferring the phone number to a new SIM card:
- Carrier-Provided SIM Card: If needed, the carrier will provide a new SIM card and activate it remotely.
- Insert New SIM: Place the activated SIM card into the device, which should connect to the network with the transferred number.
Ensure that the number transfer was successful:
- Test Calls and SMS: Make a test call or send a test SMS to confirm connectivity.
- Verify SMS-based Authentication: Ensure that SMS-based authentication codes (if applicable) can now reach the new SIM card.
In addition to physical access, SIM swapping may be conducted through various other methods. Understanding these can be helpful for security professionals.
Attackers often start by gathering information about a victim to impersonate them with the mobile carrier. Common information includes:
- Full Name: Often available from social media or public records.
- Phone Number: Listed on profiles or available through data breaches. Sometimes found on job sites like indeed or linkedin.
- Address: Sourced from public records or online data.
- Birth Date: Frequently accessible through social media.
- Email Address: Located on profiles, forums, or public websites.
This information can also be obtained through phishing or data purchases on underground markets.
Once sufficient personal information is obtained, attackers contact the victim's carrier, often claiming the phone or SIM was lost, damaged, or stolen. The goal is to convince customer service to transfer the number to a new SIM. Common tactics include:
- Impersonation: Posing as the victim and answering security questions with the gathered information.
- Phishing Carrier Support: Tricking or hacking customer support representatives into granting access or revealing additional information.
After successfully impersonating the victim, the attacker can convince the carrier to activate the phone number on their own SIM card. This process usually renders the victim’s original SIM inactive.
With control over the victim's phone number, attackers can intercept SMS-based two-factor authentication codes for sensitive accounts, including:
- Bank Accounts: Gaining access by resetting passwords through SMS-based verification.
- Email Accounts: Accessing password reset links for additional accounts.
- Social Media Accounts: Taking over profiles for further identity theft or phishing.
- Cryptocurrency Accounts: Potentially draining funds from crypto wallets.
SIM swapping exposes victims to various risks:
- Financial Loss: Unauthorized access to bank and investment accounts.
- Data Theft: Access to sensitive information in email and social media.
- Identity Theft: Potential impersonation and misuse of the victim's identity.
- Loss of Cryptocurrency: Irreversible transfers of funds from crypto wallets.
To protect against SIM swapping, follow these recommended practices:
Use app-based two-factor authentication (like Google Authenticator or Authy) instead of SMS. Alternatively, hardware security keys (such as YubiKey) provide strong, phishing-resistant authentication.
Most carriers allow customers to set a unique PIN or password required for account changes. Contact your carrier to enable this option.
Avoid sharing your phone number, birthday, or address publicly online to reduce exposure to attackers.
Set up notifications for login attempts, password resets, and 2FA changes, and act quickly if you notice any unusual activity.
Many carriers have dedicated fraud teams. Notify your carrier if you suspect you’re at risk of SIM swapping to enable additional security measures on your account.