SIM Swapping Scams
Mobile phones have made their way into daily life and infrastructure to the point of societal dependence. As a result, massive amounts of data and personal information are stored on users' cellular devices. To store the data that is specific to a user's phone, companies use SIM cards. SIM (Subscriber Identity Module) cards store information specific to the device used and connect that device to a subscribed network. This makes SIM cards essential to cellular networks.
The volume of potentially sensitive data stored on a SIM card makes them a luring target for hackers and scam artists. Moreover, SMS or text messages are often a vector for 2-factor authentication (2FA). An exploited SIM card could allow a malicious actor to potentially bypass 2FA because they would have access to a victim's messages. A widely used approach to this type of fraud is called SIM Swapping. At its core, a successful SIM swap will allow an attacker to change a victim's phone number over to a separate SIM card under their control, and with it will come the victim's data and any incoming calls, texts, etc. The tactics, techniques, and procedures for making this happen vary, but scams like this are still happening, and their methods are becoming more advanced.
What Happens in a SIM Swap Scam?
A SIM swap scam almost always includes some component of social engineering. A successful scam will result in what is essentially a takeover of the victim's phone. The attacker will receive all text and SMS messages, receive phone calls, use data, etc.
Fraudsters look at when SIM cards change devices legitimately. Typically, this is when users need to activate a new phone. If a malicious actor wants to target a user and change their SIM to a different phone, they will contact the user's service provider and pretend to be the victim, claiming they want to activate their new phone.
A successful SIM swap campaign begins with intelligence gathering. To activate a new phone or change SIM, a service provider needs a way to confirm the customer's identity. This is typically done by asking security questions, using a password/pin, etc. Gathering this information on someone has grown easier with the amount of data available online. This issue multiplies when there is a major data breach or security architecture flaw that could reveal PII. This was proven to be true in 2018 when a flaw in T-Mobile data storage allowed almost anyone to obtain basic information on any of their customers; the result was a massive amount of malicious SIM swaps carried out on their customers.
This type of scam aims not to run up free phone calls, text, and web surfing. Rather, having access to someone's phone gives an attacker full access to anything that uses their phone for two-factor authentication. This could be anything from bank account information, online shopping, cryptocurrency wallets, tax records, medical records, etc. Most often, successful SIM swappers use this scam as a means to steal money. Once having gained access to a victim's phone, they will use SMS messaging or texts to bypass 2-factor authentication and gain access to the victim's bank account.
The levity of SIM swapping was greatly represented when hackers could compromise the Twitter account of Jack Dorsey (CEO, Twitter) via SIM swap; they used the CEO's platform to publish several "trolling" tweets from the account of Dorsey.
Preventing SIM Swap Scams
SIM swap scams use social engineering and intelligence gathering as a means to compromise a victim's cellular subscription. To protect the greatest threat vectors of this hack, one needs to secure their PII, strengthen passwords/pins, and use multi-factor authentication.
Users should use unique and complicated passwords for cell phone accounts. Moreover, the answer to security questions should be difficult (not something found on Facebook). Authentication methods other than text messaging or SMS should be used for critical applications such as banking or, in some cases, social media. This way, a phone compromise will not equate to full identity theft or financial loss.
The potential for SIM swap scams has been proven time and again. As such, major service providers are stepping up prevention and user awareness for these types of hacks. Better customer information protection is a great place to start, but service employees also need to have better handling of customer authentication. This hack is an exploitation of poor authentication. Much of this scam can be prevented by following basic cybersecurity hygiene. Applications are increasing awareness of this as well; many notify users of a suspicious activity or attempted logins from unidentified physical locations. The effort to prevent SIM swapping lies with the users and the service providers, but both must be aware of changing tactics and threat vectors for available consumer data.
References Barrett, B. (08-19-18, 08-19-18). How to protect your phone against a SIM swap attack. Wired, Retrieved from https://www.wired.com/story/sim-swap-attack-defend-phone/ Gordon, K. (2007). SIM cards - research library - ProQuest. Law & Order, 55(3), 35. Retrieved from https://search-proquest-com.ezproxy.utica.edu/pqrl/docview/197237861/F875EC77B2B4CCBPQ/7?accountid=28902 Grace, A. (2019). SIM swap fraud explained and how to help protect yourself. Retrieved from https://us.norton.com/internetsecurity-mobile-sim-swap-fraud.html