Samsung phone
Samsung Galaxy smarthpone. Image obtained with thanks from Photo by MOHI SYED via Pexels.

SIM swapping is a risk that endangers users of SMS two-factor authentication (SMS 2FA). SMS two-factor authentication is normally used to add a layer of security to your accounts so that you will have to receive a one-time password (OTP) via SMS and enter it while logging in.

We’ve reached a point where it is not only common for thieves to crack users’ passwords, but hackers are also stealing users’ phone numbers so they can receive their SMS 2FA codes and use them to log in to financial services, email, among other things online. This is also an identity-theft risk. If you’re using SMS 2FA, you should switch to a stronger authentication method such as app-based 2FA soon.

This is already available in the settings of many online services and is usually called ‘Google Authenticator’, although you don’t have to use the Google Authenticator app itself if you don’t want to. You can install either the Google Authenticator app or FreeOTP to use that feature. Please be wary of the fact that you’ll have to manually back up your 2FA keys if using app-based 2FA (or risk losing access to your account). Also be wary of apps trying to intercept your 2FA keys or offering to back them up to the cloud for you. That poses its own risks.

Some services will provide you with backup 2FA codes that you can use if you lose your phone, for example. However many won’t. Whenever you are enabling app-based 2FA, you may be provided with a key and a QR code to scan with your authenticator app. Store the key somewhere safe before proceeding and then you will most likely be asked to test the app to ensure that it was configured correctly.

App-based 2FA usually uses something called TOTP or HOTP. TOTP means Time-Based One-Time Password. TOTP works by using a unique, secret key provided by the website you’re logging into, and that key is used in conjunction with the current time to generate a single-use password (usually 6 digits) that you have to enter in order to log in. You only enter the secret key once, and then it just generates the single-use password whenever you launch the app.

In most cases, the password will change every 30 seconds, hence the term ‘one-time’ password. This significantly reduces the risk of a hacker guessing the password. After the initial setup, you won’t have to send 2FA codes to your phone anymore, as it will simply generate them on its own!

In the interim, you can contact your carrier about how to reduce the risk of SIM swap fraud. Some carriers will allow you to add a pin to your account to ameliorate the risk.