A SIM swap attack manipulates the process of transferring phone numbers across mobile carriers and subscriber identity modules (SIMs) to misdirect text messages intended for the victim to the attacker instead. If you use SMS for two-step authentication at Stripe, the attacker can use this method to obtain your verification codes, thereby gaining access to your account.

How do SIM cards work?

A SIM card is issued to every mobile phone customer and slotted into a phone to identify the customer. A phone number ultimately points to a single SIM. Recently, eSIMs were introduced to eliminate the physical card, but otherwise function the same way.

Your mobile carrier has the ability to change which SIM a phone number points to. This is needed so you can keep the same phone number if you lose your phone or if the SIM card is otherwise damaged or unusable. This also means employees at the mobile carrier has the power to make this change.

Additionally, in many countries, it is required by law that customers can freely switch between mobile carriers. This encourages healthy competition, but also means that mobile carriers do minimal verification before allowing a phone number to be ported to a different carrier, which naturally issues a new SIM.

How do SIM swap attacks work?

There are several different ways the attack can work with ultimately the same result:

1. The attacker pretends to be you and contacts your mobile carrier, telling them that you've lost your phone. The attacker convinces the mobile carrier that they are you and are issued a replacement SIM card;
2. The attacker pretends to be you and contacts another mobile carrier, telling them that you wish to switch services to the new carrier. The new carrier asks the old carrier to confirm the porting, and the attacker convinces them, resulting in the new carrier issuing a SIM card; or
3. An employee at your mobile carrier is bribed into changing your phone number to point at the attacker's SIM.

In all cases, the attacker obtains a SIM card that receives SMS and phone calls from your phone number, while your existing phone stops working.

How can I protect myself from SIM swap attacks?

In general, due to third parties involved, there is currently no way to prevent SIM swap attacks. The only way to protect yourself from its harmful effects is to stop using text messages (SMS) for two-step authentication.

As long as SMS for two-step authentication is enabled, your account is at risk. You should enable an alternative method for two-step authentication, such as an authenticator app or a hardware security key, and then disable SMS.