SIM swapping occurs when someone contacts your wireless carrier and is able to convince the call center employee that they are, in fact, you, using your personal data.
Upon a SIM-swap, the attacker can receive OTPs and impersonate for an account takeover.
Further, SMS OTPs also suffer from OTP-Phishing as they are bearer tokens — One who intercepts or takes into OTP-divulging can impersonate for an account takeover leading to 81% of data breaches and online fraud.
They do this by using data that’s often exposed in hacks, data breaches, or information you publicly share on social networks to trick the call center employ into switching the SIM card linked to your phone number, and replace it with a SIM card in their possession.
Once your phone number is assigned to a new card, all of your incoming calls and text messages will be routed to whatever phone the new SIM card is in.
Several sim swap attacks have resulted in serious financial fraud: One victim of a SIM swap attack is Robert Ross, who claims he had one million dollars stolen from him after an AT&T customer service representative was tricked into redirecting Ross’s number to a cellphone under the control of a hacker.
A Healthcare hospital lost $20K with the same sim-swap attacks as noted here
This leaves us with a question of, are we better-off with software/app-based Oath OTPs such as Google authenticator etc. The answer is “no”, with several of the tools such as Modlishka, Evilngnx and Muraen available to do a real-time proxy of the submitted OTPs. This is due to the fact that legacy OTPs (from Google authenticator) are bearer-agnostic and as such be intercepted and spoofed as depicted below.