SIM-swapping is on the rise, leading to millions in losses for consumers who found their bank accounts drained and other accounts taken over. The attacks, which consist of duping mobile carriers into switching a target’s phone services to an attacker-controlled phone, have accelerated by several hundred percent in one year.
SIMs are small chips inside mobile phones that allow the network to identify and register subscriber devices – a requirement to provide service to them. Most attacks take the form of social engineering, where cyber criminals impersonate victims and convince customer service departments to change victims’ services to new phones that they control.
Once the service has been redirected, the crooks have access to any of the victims’ calls, texts, voicemails and saved profile data. This allows them to send password reset and account recovery requests to the victim’s email. In turn, this enables them to defeat multi-factor authentication, which uses one-time passcodes, allowing them to crack high-value accounts.
While SIM-swapping isn’t a new practice, the attacks now seem to be accelerating at a rapid pace. Last year, 1,611 SIM swapping complaints were received, with adjusted losses stemming from resulting account takeovers and data theft totalling more than £50 million. In contrast, for the entire three-year period between January 2018 to December 2020, there were just 320 SIM-swapping complaints, with adjusted losses of approximately £8.8 million.
It isn’t a difficult plan to execute successfully, as many networks don’t ask in-depth security questions that verify that the caller is the legitimate user. Often, the questions can be answered with previously phished information or even with public information found on social media. The frequency of large-scale data breaches also contributes to this particular scam’s higher success rate, according to researchers.
“When people wonder what the consequences of large-scale data breaches are, this is exactly it. Both people and companies have become conditioned to being able to verify identity through simple questions like mother’s maiden name. Unfortunately, this falls apart completely when data breaches affecting millions of people routinely occur.”
Other attack vectors include phishing and insider-threat avenues. For instance, when it came to light in 2019 that Twitter CEO Jack Dorsey was the victim of a SIM swap, it was reported that “hacking crews have paid off phone company employees to do…switches for them, often for as little as £75 for each phone number.”
There’s very little that end users can do to avoid becoming victims of SIM-swapping. Primarily, it’s the mobile phone company’s responsibility to ensure its customers don’t get scammed. Researchers added: “All organisations, but especially service providers, must move from more simplistic means of validating identity to more sophisticated ones. PIN codes unique to each user’s account can be one way of adding additional security to the process.
“Out of wallet questions are another alternative that works by verifying much harder to compromise information, such as the last three home addresses or cars. It may be more of a hassle for everyone, but it’s simply no longer viable to rely on information that has been routinely compromised to validate a person’s identity.”
This attack vector has grown so massively that the FBI has given advice to both mobile networks and consumers:
- Educate employees and conduct training sessions on SIM swapping.
- Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
- Set strict security protocols enabling employees to verify customer credentials before changing their numbers to a new device.
- Authenticate calls from third-party authorised retailers requesting customer information.
- Do not advertise information about financial assets on social-media websites and forums.
- Do not provide your mobile number account information over the phone to representatives that request your account password or PIN. Verify the call by dialling the customer service line of your mobile network.
- Avoid posting personal information online, such as mobile phone number, address or other personal identifying information.
- Use a variation of unique passwords to access online accounts.
- Beware of any changes in SMS-based connectivity.
- Use strong MFA methods such as biometrics, physical security tokens or stand-alone authentication applications to access online accounts.
- Do not store passwords, usernames or other information for easy login on mobile device applications.