SIM Swap Attacks Let Criminals Bypass Bank 2FA and Drain Accounts

In a SIM swap attack, a criminal convinces a mobile carrier to transfer a victim's phone number to a new SIM card. Once they control the number, they intercept SMS-based two-factor authentication codes and gain full access to the victim's bank accounts, email, and crypto wallets. The FBI tracked $26 million in reported SIM swap losses in the U.S. in 2024. In the UK, cases surged 1,055% in a single year, from 289 in 2023 to over 2,900 in 2024. Australia saw a 240% increase in SIM swap fraud reports. T-Mobile was hit with a $33 million arbitration award after a single SIM swap attack drained a customer's cryptocurrency holdings. The reason this is devastating is that SMS-based two-factor authentication is still the default security method for the vast majority of U.S. bank accounts. When a customer sets up their Chase, Bank of America, or Wells Fargo mobile app, the bank sends a text message code to verify identity. This creates a single point of failure: whoever controls the phone number controls the account. A SIM swap takes minutes to execute — often through social engineering a carrier store employee or exploiting an insider — but recovering from the resulting account takeover takes weeks or months, if recovery is possible at all. Victims face a Kafkaesque recovery process. The bank says the transactions were authenticated with valid credentials. The carrier says the SIM swap was requested by the account holder. Neither institution accepts responsibility. A Bank of America customer lost $38,000 to a SIM swap in late 2024 and had to fight both institutions simultaneously. Individuals aged 61 and over now account for 29% of all account takeover victims, a 90% year-over-year increase, because elderly users are less likely to notice a sudden loss of cell service and more likely to rely on SMS as their only 2FA method. This problem persists because of a misalignment between telecom security and banking security. Banks outsourced their authentication to phone carriers without requiring those carriers to meet banking-grade security standards. Carrier store employees can process SIM swaps with minimal verification because the carriers prioritize customer convenience over security. Meanwhile, banks continue to default to SMS 2FA because app-based authenticators (like Google Authenticator or hardware keys) create friction and support costs. The result is a systemic vulnerability where the weakest link in the security chain — a minimum-wage retail employee at a carrier store — effectively controls access to billions of dollars in bank accounts.