What is a SIM Card? Why Do We Still Use Them?

These simple integrated circuit chips link mobile devices to accounts. But they do have downsides.
Tammy Xu
March 30, 2021
Updated: June 4, 2021
Tammy Xu
March 30, 2021
Updated: June 4, 2021

The Subscriber Identity Module (SIM) card is something you probably don’t think about very much, except when you get a new phone and the card needs to be transferred from the old device to the new one, along with the phone’s stored information.

But SIM cards serve an important purpose in telecommunications. They link a physical device with the owner’s account, making it possible to route calls for individuals to the right device and allowing phone companies to accurately measure utilization and charge subscribers for their service.

What is a Sim Card?

SIM cards store information that help mobile service providers associate physical mobile devices with individual customer accounts. The cards themselves are similar to credit cards and hotel key cards, with integrated circuits printed on them. SIM cards allow phones to send and receive calls and messages, and help providers accurately track billing for their customers.

The cards themselves are simple plastic pieces with chips on them, similar to those found in credit cards and hotel key cards. According to InfoSec Institute, a technology training company, the original SIM card was the size of a credit card, but the cards have been steadily shrinking since appearing on the market in 1991. The current size — the nano SIM — is only the size of the circuit printed on the card, and it stores the identifier code of the phone’s account user on its programmable memory, which holds between 16 and 256 KB of data.

More on HardwareHow Dust Identity’s Technology Protects Supply Chains From Tampering

 

Switching Out SIM Cards Is Convenient for Travel

Having an identifying card that is separate from the mobile device has its advantages, such as when a phone user travels abroad. Instead of paying high international rates through a home-country phone provider or getting a completely new phone, a traveler can purchase another SIM card from a carrier that operates within the destination area for a low price. All of the data and applications on the physical device would still be accessible, and once the user returns from the trip, the original SIM card can be switched back.

“Back when we traveled, my family members all just bought different SIM cards,” said Paige Hanson, chief of cyber safety education at NortonLifeLock. “Instead of paying extra to get an international plan, it was so easy to just swap it out — it works great in that country and it has a certain amount of data to use. It was almost thought of as a convenience, or paying less.”

And in a pinch, a user’s SIM card can be easily removed from a defective phone and inserted into a different device. If the user’s phone suddenly dies and they need to receive an important call, the SIM card can be switched into a friend’s phone and still receive calls and messages.

But some argue it’s time to move on from SIM cards — that as an out-of-date technology, they may actually be hindering progress and inflating phone bills.

“Instead of paying extra to get an international plan, it was so easy to just swap it out.”

While switching out SIM cards might be convenient during international travel, there’s always the possibility a card that’s been removed could get lost. SIM cards also tie customers to their service providers, because switching providers usually involves getting a new physical SIM card — not very difficult, but it may deter users due to the inconvenience.

If phone companies switched to using user identification codes and passwords to link accounts with physical devices, that would allow users to more easily switch between service providers without opening up the phone.

That said, developments in recent years indicate the SIM card is probably here to stay, although its format may be changing. In 2018, Apple’s phones began including space for two SIMs per device — allowing users to have multiple active phone plans, or to more easily switch between subscriptions. For phones shipped in most of the world, one of the two SIMs is an “embedded” SIM, or eSIM, meaning there is no physical card that can be detached from the phone. Providers can reset the eSIM when customers decide to switch carriers.

 

SIM Cards Are Vulnerable to SIM Swapping Attacks

One of the risks associated with SIM cards is a hack called SIM swapping, which has become more common in recent years. Attackers convince a service provider that the attacker is one of the provider’s existing customers, and asks for the victim’s existing account to be transferred to a new SIM card the attacker purchased.

Because there is no way, aside from SIM cards, for providers to detect whether a physical device belongs to the account holder, this attack results in the victim’s account being transferred to the attacker’s new SIM card, which the attacker can then use on any phone.

Hanson said SIM swapping has become even more of a risk over the past year, as more account transactions have become virtual.

“Each company has a call center, and they’re going to have a series of authentication questions that they ask to verify what they think is their wireless customer,” Hanson said. “As long as you answer those questions successfully, then you’re able to act as if you are the actual customer.”

“Possibly your social media is giving away those answers to the questions because you have a public profile.”

Attackers have many ways of obtaining the information they need to successfully get past authentication questions. They can target customers whose personal information has been compromised in previous hacks, or customers who have posted relevant information online themselves.

“Possibly your social media is giving away those answers to the questions because you have a public profile,” Hanson said. “The questions could be ranging from, ‘Where did you go to high school? What’s your anniversary? What’s your mother’s maiden name?’ — the questions that we’re all asked when we’re signing up and adding security questions.”

More on HardwareErgonomic Design: Inside Logitech’s Push for Comfort in Tech

 

How to Protect Against SIM Swapping

Once a customer becomes the victim of a successful SIM swapping attack, their phone will no longer work properly. The customer won’t be able to make outgoing calls or receive incoming calls and messages.

As a result, attackers have a limited window of time to use the account before the customer figures out there is a problem — but that doesn’t mean attackers can’t do considerable damage. Many services and websites use phone calls or text messages to authenticate users. Attackers who have access to a customer’s account through a new SIM card can get past those barriers and many two-factor authentication processes.

“The account says, ‘Oh, we don’t recognize this browser, we need that second layer of authentication.’ It sends a text to, now, the fraudster, and they essentially can then have access to your bank, social media and email accounts,” Hanson said. “That is the biggest reason why there is SIM card swapping. ... When they have access to receiving either the phone calls with the six-digit code or the text messages, that’s when there’s a big problem — and they do an account takeover.”

But there are steps service providers and customers can take to protect themselves from SIM swapping. Hanson said most major providers use PIN numbers as an added layer of security. After a customer sets up their PIN with the provider, subsequent changes to the account, including porting the account over to a new SIM card, would require the PIN.

“The PIN code should be unique, something that you’ve never used before,” she said. “If you use a PIN code on your phone, and you use the same one for your ATM, there’s a higher chance of having an identity theft incident.”

“When they have access to receiving either the phone calls with the six-digit code or the text messages, that’s when there’s a big problem — and they do an account takeover.”

Companies implementing two-factor authentication should also avoid using authentication methods that rely on sending codes to users’ phones through texts or calls, as those methods are vulnerable to successful SIM swapping attacks. Instead, companies can use app-based authentication methods. Users just have to download an authenticator app, such as Google Authenticator, to their mobile devices. The authenticator app generates codes that can be used to confirm the user’s identity — and because the codes are generated through an app on the phone, the individual trying to gain access needs to have the user’s phone, not just a SIM card.

Security companies such as NortonLifeLock also provide account monitoring services that look for signs an account has been compromised. In the event of a SIM swapping attack, these services would notify the account holder, and also assist in mitigation and recovery if the attack was successful.

Hanson said it’s also important to be knowledgeable and vigilant. The faster a consumer responds to a SIM swap attack, the less time the attacker has to inflict damage. If you suddenly can’t send or receive calls on your phone, it could be a good idea to call the provider right away.

“If all of a sudden you don’t have service and your calls and texts aren’t going through, some people just shrug it off as no big deal,” she said. “They’ll say, ‘That’s weird, my phone’s not working,’ and try turning it on and off — and then eventually, they might call the carrier and see what’s going on. But people’s skill level or just willingness to try to find out right away what’s going on with their phone can determine how long it could take.”

 

SIMs Are Here to Stay

While it appears that SIMs are going to be part of mobile communications for the foreseeable future, it may become more common for customers to have accounts with multiple providers at one time. Apple’s devices give customers the option of juggling two carriers, or having a primary provider that’s connected to an eSIM and multiple SIM cards for travel.

Or eSIMs could become the dominant type of SIM card — although they are just as prone to SIM swapping attacks as regular SIM cards, users don’t have to worry about losing the card and having to reconfigure their account with their primary provider. Ultimately, it depends on the type of behavior customers want.

“If you’re the type of individual that needs to take out your SIM card because you’re traveling in two countries, maybe that’s not the best thing for you,” Hanson said. “But for me, for instance, an eSIM card would probably be more of a solution for what I want, because I wouldn’t be able to physically remove it.”

Great Companies Need Great People. That's Where We Come In.

Recruit With Us