Chris, a subscriber to my newsletter, recently emailed me to share his experience. Unfortunately, he lost $10,000 due to what appears to have been an “eSIM attack.” Such attacks, previously common mainly in the Bitcoin community, are now a wider concern; anyone could potentially become a victim.

Our phones hold a vast amount of personal data and sensitive information, from social media apps to mobile banking apps. Nevertheless, the vast amount of personal data and sensitive information we store on them can make us vulnerable to data breaches. In today’s world, where secure and convenient mobile connectivity is in high demand, the use of eSIMs has seen a significant rise.

The tiny memory chip known as the SIM card plays a crucial role in cell phone operation, as it grants users their unique phone number. But now, a new player has entered the SIM world—the eSIM card.

This virtual SIM functions just like a physical one but with the added security of being embedded in your phone’s hardware. No more manual replacements or removals. As with any new technology, there are always those who attempt to bypass security measures. May this be a repeat of the early vulnerabilities experienced with traditional SIM cards? Despite this, don’t let these possibilities deter you from embracing the convenience offered by eSIMs. Just ensure to stay informed and vigilant about potential security risks. Keep your phone safe and secure with eSIM.

What is an eSIM? 

Introducing eSIM, which stands for “Embedded Subscriber Identity Module.” This tiny chip nestled within your phone manages your cellular network connection. With eSIMs, you no longer need physical SIM cards because they provide the convenience of switching between mobile networks effortlessly. Plus, enjoy increased storage capacity and improved network coverage. However, you might question the safety of eSIMs – can they be hacked? While no technology can guarantee complete protection, rest assured that eSIM’s multi-layered security measures greatly minimize the risk of hacking.

eSIM vs. SIM security

When comparing eSIMs to traditional SIM cards, it is fundamental to understand their format, functionality, and use discrepancies. While standard SIM cards require a manual activation process through your network provider, eSIMs can be activated from a distance. The necessary information to connect to your mobile network, embodied in your eSIM profile, gets downloaded to your device. This operation streamlines the process, normally rendering it effortless and without complications.

Also, physical SIM cards require insertion into a particular slot in a device and must be manually changed when switching network providers or plans. In contrast, eSIMs enable remote profile swaps. Hence, the days of looking for and inserting physical SIM cards are over, making eSIMs a more convenient option for global travelers and transferring service between devices.

Additionally, eSIMs offer more security than their physical counterparts due to both hardware and software provisions. Tamper-proof hardware shields the microchip from physical breaches, while robust encryption protocols uphold the integrity of the data transmitted between the device and the network service.

But there’s more. eSIM technology also leverages secure remote provisioning, allowing network providers to manage and update profiles wirelessly. This feature adds an extra layer of security, reducing the risks related to misplaced or stolen cards while enhancing the user’s sense of security. Avoid settling for outdated, impractical traditional SIM cards when eSIMs provide a more sophisticated and secure alternative.

BUT…

eSIMs Can Be Hacked

Consider your smartphone’s eSIM as a potent virtual identity card that authenticates you on the mobile network. However, be cautious, as eSIM hacking poses a significant risk that could jeopardize the security of your eSIM-compatible device. Usually, a user can incorporate an eSIM into a supportive device by scanning a QR code provided by the service provider.

An eSIM hack refers to a covert attempt to alter your eSIM profile, thereby granting hackers unauthorized access to your mobile and financial accounts. Such hacking can also take advantage of vulnerabilities in the eSIM system, and is manifesting in diverse forms.

SIM swap eSIM hack

Protect your phone number from unauthorized control by hackers through cunning SIM swaps. This perilous method used by the hosers involves deceiving your mobile service provider to associate your number with a new eSIM, which the hacker manipulates.

And it’s often more straightforward than you can imagine.

Initially, the hacker collects your personal details from publicly available sources or data infringement incidents. They exploit this information to impersonate you when they reach out to your mobile service provider. The hacker then claims a need to transfer your phone number to their new eSIM, alleging that they have acquired a new phone. Regrettably, this pretext is highly persuasive.

Once the hacker successfully manipulates the provider into swapping the eSIM, they gain full control over your phone number. This control enables them to intercept your calls and messages and even access services that leverage your number for verification purposes, such as two-factor authentication. The resultant implications can be disastrous.

Consider the case of a Business Insider journalist who was affected by an eSIM hacking incident. Within a few hours, she discovered that intruders had pilfered her credit card details and made almost $10,000 worth of deceptive purchases. How did they execute this plan? The journalist’s ported phone number was used to receive fraud alerts through texts while the culprits made purchases in brick-and-mortar stores. Nevertheless, she managed to freeze her credit and uncover evidence of the fraudulent maneuvers.

Ensure you remain alert by safeguarding your data against falling into the hands of hackers and prevent yourself from becoming a casualty of an eSIM hacking incident.

Phishing eSIM hack

This one also requires the hosers to get your personal information. This time, they do it with a phishing email.

But if you fall for their trap and provide your personal information to the fake website, the attacker can gain unauthorized access to your eSIM profile. That could give them control over your mobile services and put your personal information at risk.

In fact, a recent data breach at T-Mobile resulted in customers falling victim to SIM swap attacks through social engineering phishing scams. These hackers impersonated customers and used their data, which was obtained through phishing attacks and data breaches, to take over their mobile numbers and online accounts.

One T-Moble customer shared their experience on Reddit, where hackers were able to take over three of their online accounts, including their authenticator app. That allowed the attackers to receive their text messages and bypass SMS-based 2-factor authentication, gaining access to their primary email and financial account.

Don’t let this happen to you. While anyone can become a victim of a SIM swap attack, you can protect yourself by following mobile security best practices. Don’t let your data fall into the wrong hands, protect yourself from identity theft, and avoid the risk of financial loss. Stay vigilant and stay safe.

Russian SIM Swappers

According to a leading Russian cybersecurity firm, F.A.C.C.T., SIM swappers have been exploiting the shift to eSIMs to hijack phone numbers and bypass security measures.

Since the fall of 2023, F.A.C.C.T.’s Fraud Protection analysts have been closely monitoring the alarming increase in attempts to access clients’ personal accounts at a major financial organization. In fact, there have been over a hundred recorded cases so far!

How do these criminals manage to steal your mobile number? By using the sneaky method of replacing or restoring a digital SIM card. They simply transfer your phone number from your ‘sim card’ to their own device with an eSIM, giving them full access to your personal information.

How do they do it? They generate a QR code through your hijacked mobile account and use it to activate a new eSIM on their device. This essentially gives them control over your number while simultaneously deactivating your eSIM or SIM.

But that’s not all. Once they have your phone number, cybercriminals can access your two-factor authentication and other services, such as online banking and messaging apps. This opens up a world of opportunities for them to carry out fraudulent schemes and scams.

Unfortunately, Apple is powerless when it comes to preventing SIM swaps. The term “SIM swap” is misleading as it does not involve physically swapping the SIM card. Instead, criminals contact the carrier and obtain a new SIM card with your phone number, effectively canceling your current one. They do this by either convincing the carrier’s agent that they are you or by bribing them. Unfortunately, this is a common occurrence as carrier phone centers are often staffed by low-wage workers, often in other countries like India or the Philippines. 

That can happen with both physical SIM cards and eSIMs, as the SIM itself is not necessary for the switch.

What To Do

2-Factor Authentication

Are you concerned about the security of your carrier account? Take action now and add an extra layer of protection with two-factor authentication. While this may not be a foolproof solution, it is a step in the right direction. Keep in mind that with most carriers, support representatives can override 2FA. However, this is not the case with Apple. That means that your account is even more secure with 2FA. Sure, it may be frustrating if you can’t receive your code, but the added security is worth it. Don’t wait any longer. Take control of your account’s security today.

Secure Your SIM by Using a SIM PIN 

Secure your SIM card with a PIN (personal identification number) to ensure that only you can make phone calls and use cellular data.

By setting a SIM PIN, you can safeguard your SIM card or eSIM from unauthorized usage. This way, every time you power on your device or remove the SIM card, it will automatically lock and display “Locked SIM” on the status bar.

Unfortunately, a SIM PIN doesn’t have complete protection. 2FA is much better.

Turning your SIM PIN on or off

Are you tired of worrying about the security of your SIM card? 

With an iPhone, you can easily set up a SIM PIN for added protection. 

1. Go to Settings > Cellular > SIM PIN and follow the instructions. And if you have a Dual SIM or Dual eSIM iPhone, don’t worry; we’ve got you covered, too. 
2. Just go to Settings > Cellular > select the number you want to modify > SIM PIN. And for iPad users, the process is just as simple. Just go to Settings > Cellular > SIM PIN.
3. Take control of your SIM card’s security by turning on or off your SIM PIN.

Privacy best practices

Are you concerned about your eSIM privacy? Don’t worry, and there are simple steps you can take to minimize any risks. Here’s what you need to do:

Best Practice 1: Enable security features like PIN or password protection for your eSIM profiles, as this acts as an additional layer of protection to your device and its mobile service.

Best Practice 2:  Use multi-factor authentication methods, such as biometrics or additional authentication apps, to further secure your eSIM-related services.

Best Practice 3: Stay informed about your mobile service provider’s privacy policies and data handling practices. Make sure you understand how your data is collected, used, and protected.

Best Practice 4: Keep your phone updated with the latest software and security patches. That will help mitigate any potential vulnerabilities.

Best Practice 5: Use secure networks, like encrypted Wi-Fi or virtual private networks (VPNs), to safeguard your communications and data transmitted through eSIM-enabled devices.

Best Practice 6:  Regularly monitor your account activities and report any suspicious behavior or unauthorized access to your mobile service provider.

By following these simple steps, you can enjoy the convenience of eSIM technology while protecting your personal privacy and sensitive data. Don’t wait—take action now to ensure your online security.

What Are the Signs of Your eSIM being hacked?

If your eSIM has been hacked and transferred to a hacker’s phone, you might notice several unusual symptoms and activities on your device or with your service. Here are some potential signs to watch out for:

• Unexpected Loss of Cellular Service: Suddenly finding yourself unable to make calls, send texts, or use data, as the eSIM profile has been transferred, rendering your service inactive on your device.
• Unusual Account Activity Alerts: You may receive notifications from your carrier about changes to your account that you did not authorize, such as requests to change or add services or transfer the eSIM.
• Unauthorized Charges: You may notice charges for calls, texts, or data that you did not use, which could indicate that someone else is using your cellular service.
• Suspicious Messages or Calls: Friends or family receiving calls or messages from your number that you did not send, suggesting someone else is using your number to communicate.
• Device Setting Changes: Finding that settings related to your network or SIM have been altered without your input.
• Difficulty Accessing Online Accounts: You may be experiencing trouble logging into online accounts, especially if two-factor authentication is tied to your phone number, which may have been compromised.
• Alerts from Financial Institutions: Receiving notifications of suspicious activity from your bank or credit card issuer, especially if linked to your phone number, for verification purposes.
• Increased Data Usage: Noticing a spike in your data usage that cannot be accounted for by your own activity, which could suggest your eSIM is being used on another device.
• Poor Device Performance: You may experience a sudden drop in your phone’s performance, which could be due to malware or other malicious software installed during the hacking process.
• Unfamiliar Apps or Software: Discovering apps or software on your device that you did not download, which could have been installed by the hacker to monitor your activity or steal data.

Suppose you suspect that your eSIM has been hacked and transferred. In that case, it’s crucial to contact your mobile carrier immediately to secure your account and consider changing passwords for your online accounts, especially those linked to sensitive information or financial services.

My SIM card got hacked – What do I do? 

• Don’t waste any time – take immediate action and alert your mobile service provider if you suspect an eSIM hack or SIM card breach. They have the expertise to investigate the issue thoroughly, secure your account, and provide you with essential tips for preventing future unauthorized access.
• Don’t leave your security to chance – change and update all passwords and PINs associated with your mobile service provider account, device, and any other linked accounts. Make sure to use robust, unique combinations to fortify your defenses.
• Take your security to the next level by activating and enabling 2FA for your mobile service provider account and other relevant accounts. This extra layer of protection uses a unique code sent to your device as a second verification step to confirm your identity.
• Stay vigilant and stay protected—monitor your account activity and regularly review your mobile service provider account for suspicious actions, such as unfamiliar calls, texts, or unauthorized changes. If you notice anything out of the ordinary, don’t hesitate to report it to your mobile service provider immediately.

The Bottom Line

Are you worried about the security of your eSIM? Don’t be! By following these guidelines and implementing strong security practices, you can confidently handle a hacked SIM card situation and minimize the risks associated with eSIM hacking. 

In fact, eSIM security measures offer crucial theft protection measures. With its embedded nature, device authentication mechanisms, and remote deactivation capabilities, eSIM provides an extra layer of security and peace of mind. 

So why wait? Take advantage of the built-in theft protection features and develop strong device security habits to ensure the safety of your devices and personal information. With these measures in place, you can enjoy a more secure and worry-free mobile experience.