SIM SWAPPING FRAUD

Becoming a SIM swapping victim

This was the case of A.J, who was out for dinner during a work trip when suddenly his phone service went blank. It wasn’t until he went to check his emails and social media that he realised something was wrong. In a matter of minutes, all his passwords had been reset and $75,000 worth of cryptocurrency disappeared from his crypto wallet. 

In 2018, journalist Alexandra Posadzki lived a very similar nightmare. Looking for answers, she immediately called her service provider, who informed her that someone 805.2 km away had requested a port out to a different SIM card claiming to be her. 

“They got into my Facebook and Google account, which tracks wherever I go, where I live, my work and all the restaurants I frequent on a regular basis,” she says.

Stealing your identity by hijacking your phone number

Performing an illegitimate SIM swap is tragically easy. At its most basic level, the scam occurs when someone convinces your service provider to switch your mobile number over to a SIM card they control. By diverting your incoming messages, cybercriminals can easily complete the SMS-based two-factor authentication checks that protect your sensitive accounts and authorise bank transactions. 

“Considering how much information is transmitted on cell phones, putting this data in the hands of a fraudster can be devastating in many ways,” says Julia Johnson from the Association of Certified Fraud Examiners. “When a fraudster takes control of someone’s phone number, they can quickly drain bank accounts, jeopardise electronic communications and dictate a victim’s entire online presence.”

ESET cyber security specialist Jake Moore suggests that the scammer will usually engage in social engineering before contacting the telecommunications provider. “They will investigate your social media accounts to try to obtain as much information about you and answer any security questions, which can be as basic as your date of birth,” says Moore.

“The scammer might also send phishing emails in hopes of obtaining sensitive information that can be used to unlock their wireless account,” says Johnson. 

According to Europol, recent large data breaches have undoubtedly fuelled the SIM swap fraud crimewave. “Personal data, while not directly monetisable, is potentially much more valuable, particularly to the more sophisticated cybercrime gangs who may have the capability to exploit it to facilitate other targeted cyberattacks,” their 2019 Internet Organised Crime Threat Assessment reads.  

One of the largest data breaches of 2018 was hotel giant Marriot International, where over 500 million records were disclosed, including data such as names, postal addresses, phone numbers, dates of birth, gender, email addresses, passport numbers and credit card data.

Coincidentally, 2018 saw over 65% of SIM swap reports filed to the City of London Police in the last five years. 

Is the telecommunications industry up to speed?

Despite the involvement of telecommunication companies in cyber crime operations, SIM swapping fraud victims and cyber security experts believe they could be doing more to protect their consumers from this scam.

In 2018, A.J. filed a lawsuit against his operator, AT&T, due to the American company’s “inability to stop employees from selling access to customer phones”. In October 2019, a California man also sued AT&T after one of its employees allowed a hacker to access his phone number, which resulted in the theft of more than $1.8 million in cryptocurrency.

"It's absolutely unacceptable that AT&T faces no responsibility, faced with the loss of your life savings by an act that was facilitated by a multinational corporation," he told ABC News. 

Andrés Naranjo, cyberintelligence analyst at Eleven Paths, Telefónica Group’s global cybersecurity unit, says that over 90% of SIM swapping attacks occur either by an insider or because of a trick to the insider.

“We cannot afford this to happen, because a weak employee is a weak company,” he explains. “But there are insiders in all trades of all professions, it is not a thing only typical of telecoms employees.”

Last January a Princeton study discovered that five US telecommunication companies use weak authentication techniques, leaving their customers vulnerable to SIM swapping tactics.

By signing up for 10 prepaid accounts each on AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless, the researchers found that they only needed to successfully answer one thing to verify their identity and get the companies to perform a SIM swap — even if they got the other authentication challenges wrong.

Moore rang up his telecommunications provider, Vodafone UK, to test the strength of their authentication methods. “It’s a simple guess. They want just two numbers and give you three goes to get them right,” he says. “The provider doesn't assume something is happening and that's the issue. I think they need to up their training.”

Vodafone and all other main telecommunications providers in the UK did not immediately respond to requests for comment for this story.

Why you should stay away from SMS-based 2FA

As SMS becomes the global default solution for banks and social media platforms when it comes to two-factor authentication (2FA), the rise of SIM swapping fraud has posed questions on the vulnerability of relying on this method to authorise transactions and secure our sensitive accounts.

“Criminals are aware that banks are now relying on SMS for 2FA transactions, so they will continue to abuse and weaken the systems in place and exploit these methods for their own advantage,” says Chris Stephens, head of fraud and security analytics at Callsign. 

Once the fraudster is in control of the victim's mobile number, it can immediately thwart SMS-based 2FA checks that were expected to protect the user’s online bank account, email and social media. By resetting any of the passwords of the compromised accounts, the full takeover is complete.

Last August, Twitter CEO Jack Dorsey became one of the most notable SIM swapping victims. On the 21st of November, the social network finally allowed users to disable SMS-based 2FA for their accounts and use an alternative method, such as a mobile one-time code (OTP) authenticator app or a hardware security key.

Researchers at Princeton University found that 17 major companies, among them Amazon, Paypal or Venmo, still allow users to reset their passwords via text message.

As of this writing, 9 of these 17 websites remain vulnerable by default, including the ones listed above.

Although SMS-based 2FA is not an effective security control on everything and every instance, senior director of security at Auth0 Duncan Godfrey, believes it is better than nothing.