SIM Swapping

Our everyday activities have become increasingly reliant on mobile phone connectivity.  Even where a phone is not directly involved in a transaction it may be required for a confirmation of identity process such as Two Factor Authentication (2FA).  The SIM swap attack revolves around convincing a mobile operator to switch access to an account on another phone.  This is not an unreasonable request; the SIM owner may want to replace a lost, damaged or upgraded phone but keep personal records, including the phone number, associated with the original device.  Any fraudster that can successfully convince the provider of their authenticity will be have the privileges of a compromised card transferred to a new SIM on a device that they control.

Possession of a genuine active card can provide a criminal with a shortcut to hacking as some information including the phone number is stored on the card and whatever else might be present gives the hacker a leg up when attempting to impersonate an account. When a SIM does need to be replaced, such as when upgrading a phone, hold onto the old card until the new one has been activated and then destroy the original.

Many modern phones and wearable connected devices support a virtual eSIM with some no longer having a physical SIM card slot.  This has advantages in allowing several networks to be supported without needing to swap out a card.  It does make it easier to add or change networks and although permanently part of a device control is still governed by account credentials.  Hijacking an account linked to an eSIM card is not going to be much harder than with a physical card.

An early indication of a successful SIM swap would be the inability to make calls or texts from the original device.  Further signs could be a loss of access to other controls and unauthorised online transactions cropping up.  The original owner then has the possibly tricky problem of convincing the service operator and any affected accounts that they are indeed themselves, that they did not authorise any changes and they are not themselves part of a scam to avoid paying their own debts.

Any attempt to swap a SIM is going to require successful social engineering attacks before hand to gather enough information about the mark to fool a mobile service provider.  This should be hard but is clearly still happening.  In March 2023 Jordan Persad from Florida USA was sentenced to 30 months in gaol and ordered to pay $945,833 for his part in a SIM swapping operation.  In this example fraudsters obtained files of email address and password combinations, accessed webmail and gained enough details on mobile account numbers to transfer ownership to their own SIM cards.  This information was subsequently used to drain almost $1 million in cryptocurrency from online wallets associated with the accounts.  A SIM swap on a Tesco Mobile account in February 2022  illustrates how criminals took control of a SIM and used it to take out a £40,000 in cash and loans from the victim’s bank account.  All one-time confirmation and security details having been handled through the stolen phone number.

The chances of successful SIM swapping can be reduced by an awareness of social engineering attacks such as phishing but there are other measures that will specifically protect transactions through a mobile account.  2FA may require use of a phone number to send confirmation details but the risk can be reduced by choosing a biometric identifier such as a fingerprint rather than a confirmation code which might be intercepted by a cloned device.  Applications such as Google Authenticator reside on a mobile phone but rely on access keys stored on that device only and cannot be transferred.

A suspected instance of a SIM swap should be reported to the service provider. Passwords should be changed on accounts to which the holder still has control.  Any access that depends on the original device for authentication should also be revoked.  Data held on a phone should be regularly backed up but not on a cloud service linked to the phone account as this could be accessed following theft of that account.  With all sensitive data securely backed up Google or Apple have lost device procedures can safely be used to erase all data on a phone.

More from Security

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories