The big picture: In a public service announcement, the FBI revealed an alarming increase in SIM-swapping-related crimes, causing over $68 million worth of losses to the US public in 2021. As more consumers tie the access and recovery of their online accounts to a phone number as 2FA, attackers get around the added security measure by maliciously employing another SIM in the user's name and diverting all data like calls, recovery texts and OTPs to a device of their choice. In addition to using strong 2FA methods like authenticator apps and physical security tokens, the FBI's advisory also recommends that people avoid sharing personal and financial details on social media sites and forums.
One evidence of the rapid increase in SIM-swapping attacks is the number of related complaints received by the FBI last year. Between January 2018 and December 2020, a total of 320 such complaints were filed that led to losses of $12 million. However, in just 2021 alone, that figure rose sharply to $68 million following 1,611 SIM swapping complaints.
Although SMS-based 2FA adds an extra layer of security to an account, the approach has long been considered risky as mobile carriers can still be tricked by attackers into switching a user's phone number to a SIM card of their choice, either through malware or impersonation.
A SIM-swap victim might also bring it upon themselves by advertising their financial assets on social media and public forums. This includes sharing cryptocurrency investments too, as noted in the FBI's advisory.
Of course, users can always do a better job of picking passwords (and a password manager), as well as employing stronger 2FA methods that aren't SMS-based. App-based authenticators that generate codes, or code-less implementations like Google's have been shown to boost account protection.
Moreover, the FBI also recommends that mobile carriers educate and train employees on SIM swapping, and deploy stricter measures to verify genuine user requests related to switching numbers to a new device.