SIM Swap Fraud: Don’t Be Its Next Victim
For many victims of SIM swap fraud, the first time they learn about the attack is in the hours after their life has been changed forever. It’s an all too common story, the signal bars disappear from your mobile phone, you call the phone number – it rings, but it’s not your phone ringing. Chaos ensues. You’re now getting password reset emails from Facebook and Google. You try to login to your bank account, but the password fails. Soon enough the emails stop coming as attackers reset all your account passwords. You have just become the newest victim of SIM swap fraud and your phone number is now at the control of an unknown person.
After a few sleepless days, you piece it all together. Your bank account is empty, your emails and data have been downloaded and deleted. Your credit file is in tatters and all you have is a ransom demand for cryptocurrency from the hackers to show for the ordeal.
What is SIM swap fraud?
Let’s cover where exactly the fraud is in SIM swap fraud, by first covering porting a mobile number over without the fraud. Here in the U.K., every mobile phone number can have a porting authorization code (PAC) generated for it. This code, given to the mobile phone owner by their current network operator will allow you to switch providers. You simply ring up your current operator, ask for the PAC number and give this code to the new operator. A few days later your phone number has been transferred to a new network.
Now let’s add the fraud bit. This system has been abused for over a decade as a way to steal people’s mobile numbers. A criminal would just call up your operator, pretend to be you and get the code. Following this, they would just buy a new SIM card, port the number too it and voila! They have now stolen the original mobile phone number. Even if the number is then identified as stolen by this method, it will still take a few days to get it back to the original owner.
Victims often find the loss of their phone number as the most distressing part of this fraud because it upends their daily routines instantly. However, the impact doesn’t stop with phone issues. The whole driving force behind this kind of fraud is that it provides the fraudster an entryway to takeover your email address, your bank account and your identity online ranging from your social media accounts to online services like PayPal and Amazon accounts.
Wait a minute, you think. How did this suddenly go from just my mobile number to my entire life online? The answer is quite simple really.
Many email and social media accounts will reset an online account’s password if they can send a verification code to your mobile phone. It’s quite easy for a fraudster to go to a victim’s online account, type in the victim’s email address and then get a code sent to the phone number they now control. This quickly multiplies the opportunities for the perpetrator to commit profitable crimes with your data.
Once a fraudster has control of your Google account, they can look at your location history, emails, photos, etc. Once the fraudster makes the jump from your mobile phone to your email address, you’re really cooked.
Other ways a fraudster could leverage a SIM swap attack include:
- Bypass 2-factor authentication on accounts for which they’ve already compromised the password
- Approve transactions using your bank account through SMS notifications.
- Defame you by making derogatory calls to your clients and/or boss to embarrass you and possible set up a blackmail attempt
- They could use your phone number to make vishing calls to other potential victims.
Where’s the weakness?
The SIM swap attempt is dependent on the knowledge of the victim’s SIM Number/ICCID. This could be found in an employee’s drawer from a leftover SIM pack in a phone box. It can also be obtained with 10 seconds of access to most phones (iPhone>Settings>General>ICCID).
Phone service operators typically use the ICCID a lot, almost like a password to get access to the PAC. However, with the number of places that it is available from – and we’re talking left over SIM card packs, the actual SIM Card in a phone, to a guy with an IMSI catcher at the end of your drive- it simply isn’t a good enough method of validation.
The issue with PAC numbers is they must get from the operator to the customer as securely as possible. A big part of this transaction is the trust an operator must place in an inbound caller asking for a PAC. They should all work on securing this trust better, not just for PAC numbers but for all customer inbound calls.
Protecting yourself from SIM swap fraud
The root cause of the issue is poor authentication on the part of the network operators. Like all companies that deal with customer records or sensitive information, you will normally find yourself answering a few simple questions for “data protection” reasons to gain access to an account. While this is adequate for some businesses, it clearly isn’t as good as it can be.
As far as the U.K. is concerned, regulators haven’t been much help in protecting consumers on this issue. “Operators are responsible for their own security processes,” according to Ofcom, the telecommunications regulator in the U.K.” That means your data’s security is entirely in the hands of your provider at the end of the day, so it is important to push them to take this seriously.
The following tips may help reduce the risk of falling victim to SIM swap fraud, they know that they have been successfully circumvented in field tests:
- Ask for extended security measures. While this will vary from different operators, most will allow you to set a password on your account.
- Chose an operator that validates customers well, in the UK O2 handles things slightly better than Vodafone, but each carrier is vulnerable to some extent.
- Register “Pay-as-you-go” devices – often paygo devices are not properly registered so carriers can’t validate details even if they tried. Security questions can be “what was the last number you rang” or “how do you pay your bill?”
This article was adapted from a series of articles about SIM swap fraud that originally appeared on The Antisocial Engineer’s blog. To learn more about preventing account takover (ATO) attacks from a merchant perspective read this AF article.