Cybercriminals are using eSIM technology to hijack data, access bank accounts, researchers warn

FACCT, Russia’s leading cybersecurity company, has issued a stern warning about the sinister behavior of criminals using eSIM technology to steal phone numbers and access sensitive bank accounts. The news, reported by Bleeping Computers, sheds light on a disturbing trend where eSIMs, originally designed for convenience, are now being used as tools for nefarious activities.

What is eSIM technology?

An eSIM (or electronic SIM card) represents the digital evolution of the physical SIM card and resides in the mobile device chip, offering the same functionality with the added benefit of remote reprogramming capabilities. Users can seamlessly integrate eSIM into their devices by scanning the QR code provided by the service provider. The innovation, widely welcomed by smartphone manufacturers, eliminates the need for traditional SIM card slots and facilitates cellular connectivity even in compact wearables.

Also read: Google Gemini may leak sensitive information; researchers warn of chatbot abuse

Adaptation strategies of cybercriminals

However, cybercriminals have proven to be very adept at exploiting vulnerabilities inherent in eSIM technology. Since the fall of 2023, analysts from FACCT’s Fraud Protection Unit have observed a surge in attempts to compromise personal accounts within a well-known financial institution. These attackers use a technique called SIM swapping to infiltrate users’ mobile accounts through a variety of means, including stealing or brute-forcing credentials. They then generated a QR code from the compromised account and ported the victim’s number to their own device. This malicious behavior effectively seizes control of the victim’s phone number while deactivating their legitimate eSIM or physical SIM card.

Access sensitive data

Once a victim’s mobile phone number is in hand, criminals have unfettered access to a treasure trove of sensitive information, the report said. This includes obtaining access codes and bypassing two-factor authentication measures for services ranging from banking platforms to messaging apps. Using stolen phone numbers, cybercriminals can even manipulate SIM-related accounts in messaging apps, assuming the victim’s identity to commit fraudulent activities, such as soliciting illicit fund transfers.

Also Read: Nvidia CEO Jensen Huang faces sky-high investor expectations at upcoming AI conference

How to protect yourself from eSIM scams

Because of this potential threat, cybersecurity experts advocate taking strict measures to protect against eSIM fraud:

1. Use strong, unique passwords for each application and update them regularly.

2. Enable two-factor authentication in all critical accounts (such as email, banking apps, and social media) and avoid sharing these codes with anyone.

3. Be alert to text messages related to SIM blocking or transfer requests and verify their authenticity.

Additionally, follow basic security practices, such as avoiding disclosing personal information to unknown entities, to reduce the risk of falling victim to eSIM-related scams.