By Yubico chief solutions officer Jerrod Chong
Cyber criminals are using a simple trick to steal people’s mobile phone numbers, move them to a different SIM card, and then use the stolen number to gain access to the victim’s other personal information, including their bank and government service accounts.
This technique is called SIM swapping and due to the growing reliance on mobile phones, this vehicle is increasingly targeted as a way to take over a person’s account.
In most cases, threat actors only need a target’s account number and date of birth, that can easily be obtained through social media, to make this type of request from a mobile carrier. While these attacks are surprisingly easy to execute, it can wreak havoc for those who unknowingly fall victim to a ‘SIM swapping’ scam.
Most important accounts rely on some form of two-factor authentication to gain access, and in many cases, the user or service provider will select SMS codes as the default authentication method.
This involves receiving a text message code to log into the account, in which case porting someone’s mobile phone number can give criminals easy access to an individual’s digital life.
A Sydney woman’s tale of woe hit the headlines last year when her mobile phone was taken over and fraudsters rapidly set about stealing her identity.
Armed with her name, date of birth and mobile number, the attackers called the Optus call centre without her knowledge and secretly swapped her number to a SIM card they had in their possession.
It is assumed that the attackers took her personal details, such as her date of birth, from her Facebook account.
The victim received two text messages from Optus confirming that her request to change networks had been actioned and then her phone was disconnected.
She'd just been a victim of SIM swapping without being able to make a call or access data.
Meanwhile, the fraudsters set about breaking into her social media accounts, including her Facebook and email, where she stored many important personal documents such as passport scans.
They made several calls using Kate's number and changed the password of her email and many other accounts.
Optus is not the only target of SIM swapping attacks in Australia, as other telco operators have also been tricked several times.
The relative ease with which hackers can execute SIM swaps poses serious questions about the level of security clearance mobile phone providers enforce.
Since the goal for customer service representatives is to provide an excellent user experience in the timeliest fashion, being security-vigilant is not a top priority.
This makes this type of social engineering relatively easy to pull off.
The Australian Competition and Consumer Commission’s (ACCC) latest ‘Scamwatch’ data revealed that Australians lost nearly ten million dollars to scammers in February 2019 alone. A total of 16,399 scams were reported, with financial losses accounting for 8.8% of those reported scams.
Unfortunately, many more go unreported due to a victim’s feelings of shame.
SIM swapping attacks happen far more often than most people realise, which is why it’s important to understand how they work and better yet, how to prevent them from happening.
The good news is that many services now offer users the option to secure their accounts with methods beyond basic SMS.
These can include mobile authentication apps, built-in biometrics and hardware authenticators such as security keys.
While each method has its pros and cons, security keys (based on the FIDO U2F and FIDO2/WebAuthn open standards) are becoming increasingly popular among services like Google, Twitter, Facebook, Microsoft and Dropbox.
By requiring physical access to a device to successfully log in to online accounts, it eliminates the threat of remote scalable attacks.
In addition, the technical specifications of the FIDO U2F and FIDO2/WebAuthn standards are built to implement advanced security checks, such as verifying the origin of the site, which protects unsuspecting users from falling victim to phishing and ‘man-in-the-middle’ attacks.
In these scenarios, the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other