Is your Mobile / Cell Phone the new target for Hackers? Sim Swap Fraud – what is it?
As Phone technology advances, there is an increasing move towards making it the key authentication method for a user’s online presence. This started with a simple code being sent via SMS messages to some providers enabling password free authentication by pressing a YES button to logon. This move has seen hacker’s move at an increasingly fast pace, having firstly developed sophisticated man-in-the-middle attacks for SMS. Phone manufactures have countered with the implementation of increasingly advanced lock codes and fingerprint / facial recognition technologies, though it is likely only a matter of time before hackers develop solutions to compromise these net methods
Today I heard that a friend was compromised by a new form of Identity Fraud called Sim Swap Fraud. If you don’t know anyone who has experienced it, then consider yourself lucky.
One of my customers wanted to discuss alternatives technologies to enhance his Bank’s current password and security processes. He was a victim of Sim Swap Fraud and he was trying to get his personal accounts back under his control.
How does it happen?
A SIM card stores your user data in your (cell) smart phones. The criminal uses social engineering to target a (usually wealthy) person’s cell phone. They will generally call the phone company and talk to the representative and request a new SIM card be issued to their target (which the fraudster has no access to). All they need to do is to call until they speak with a willing (or naïve) support representative.
In order to prepare for a SIM swap scam, the criminal must first gather as much of your information as they can. They might steal your physical mail (from your mailbox or rubbish bin) or by phishing for personal credentials using legitimate looking emails and getting you to respond with your personal credentials (names, birthdays, addresses, phone no.s, etc). They may also just buy your information from criminal sites on the Internet (or the Dark Web).
Once they’ve achieved a critical mass of your personal information, they will call the phone company, and claim that their SIM card has been lost or is no longer functioning. They’ll then ask the Support Rep to activate another SIM card in their possession. Of course the criminals have generally done their homework and can answer your security questions from the personal information they’ve garnered.
Once the criminal has your cell phone number, they will generally try to access your bank accounts. They can also read your email and SMS’s, and there is usually a message from your bank. If they request a password reset, the reset link and a code is sent to your cell, and voila!! Note that this is a real world example and the criminal now had access to the bank account of the friend previously mentioned, and started to use their funds at will. The criminal also has access to their transaction history and card information and according to their bank “the transactions did not look suspicious” and we guess they were subject to less scrutiny by the bank.
So how do you tell you’ve been a victim of SIM Swapping?
Well simple. You’re phone no longer works. If you can’t call or text next time you use your cell, you may have been compromised.
Fortunately, the telcos and Banks are fighting back. They are activating security processes when SIM reactivation is requested. Alerts are now generally sent out when the request is first made. Also behavioural anomalies can be detected and if so, no SMS (code/password) will be forwarded.
This is not an easy security breach to uncover or recover from. While there is work underway by financial institutions and the phone companies to negate this issue, unfortunately your cell holds a wealth of personal information and while the phone is used as a source of authentication, it’s going to be difficult to slow down this scam.
Can Multifactor Authentication (MFA) help?
The answer is Yes. As long as you use Multifactor Authentication (MFA) and not 2 Step Auth (2SA). If you’re SMS password was sent from your bank to your phone, then this would simply give the authentication credential to the criminal. MFA requires 2 totally separate factors of authentication so a single SMS in conjunction with another cell based authentication mechanism would NOT provide the fraudster with access. It may even be separate from your phone, so that you do not rely on one authentication channel.
Please stress MFA to your banks and always opt for MFA when accessing your phone banking app. You’ll be grateful one day!
Steve Medcalf
President, Mi-Token Inc
To find out more about Mi-Token’s Multifactor Authentication system click here: https://www.mi-token.com