By Karla Reffold

According to new research, eSIM cards are being hijacked for cyber attacks. eSIM cards are remotely programmable chips that are stored within phones and other wearable devices. Because they are remotely programmable, they are popular with manufacturers as there is no need for a SIM access point on the device.

The eSIM can be installed by scanning a QR code from the phone company. To conduct the attack, attackers have simply been making a request for the QR code on the phone company’s website.

As phone companies have introduced measures to combat SIM swapping, this demonstrates how attackers will change techniques to achieve their goals. Swapping the SIM does give attackers access to the victim’s phone number and their correspondence, which increases the risk of personal loss as attackers may try to request money from friends and family.

It also increases the risk of multi-factor authentication (MFA) bypass where the user has been receiving alerts to their phone number.

At Surefire Cyber, we have seen an increase in the number of attacks that involve MFA bypass. One of the ways this can be done is where a threat actor adds their own method for authentication such as SIM swapping or adding an authenticator app. Surefire Cyber has observed an increase in threat actors adding their own method for authentication, compared to 2023. However, a lack of MFA on key services, such as VPN, remains the dominant cause of compromise.

To combat this, organizations should consider using more robust methods of MFA, such as authenticator apps, rather than relying on phone numbers.