SIM swapping security risks: What they are and how to protect yourself

August 17, 2020 by

Susan Morrow

The joke that someone needs to have a mobile phone “surgically removed” is not too far from the mark. Mobile phones have become ubiquitous and intrinsically linked to our digital identity. This connection to online life has made the mobile device a target for many types of cybercrime exploits. One of these is the scam known as SIM swapping.

Mobile devices are an amazing success story. Researchers at Pew Research found that almost all (96%) of Americans own a mobile device. And across the world, 3.5 billion people own a smartphone. 

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

VIEW PRICING

Wide-scale mobile ownership has presented a dichotomy for security and digital identity. Mobile devices offer a great way to connect a user to an account via out-of-band authentication, e.g., SMS text PIN. But the same ubiquitous nature of mobile devices and the strong connection between device and personal online accounts and data make them a target for cybercriminals.

What is SIM swapping? Are there ways to protect ourselves from becoming a victim of SIM swap fraud?

What is SIM swapping?

SIM swap scams can result in large financial losses by individuals. The crime has many faces, but all revolve around the takeover of a mobile device. From there, the device is used for purposes of extortion, data theft and account takeover.

Some examples of a SIM swap hack include:

• A British man who lost £80,000 (almost $100,000) when his mobile operator moved the man’s phone number to a fraudster. The operator believed the fraudster was the legitimate owner of the phone
• A SIM swap scam in Brazil targeted over 5,000 victims. This SIM fraud involved the use of WhatsApp to make urgent money requests to listed contacts who believed the message came from the mobile owner, e.g., a friend or family member
• A SIM swap scam targeting crypto-investors with the loss of 100 Bitcoin in one case — the man was extorted out of the cryptocurrency in exchange for not releasing stolen personal and sensitive information

The problem of swapping SIM cards ultimately stems from poor levels of identity verification by the mobile operator. SIM swapping is a form of social engineering. It relies on certain criteria for success:

1. Targets are chosen. Targets may meet a specific profile, such as the crypto investors targeted in the example above
2. Data is sourced: Personal data about the target is stolen directly or (often) bought from dealers on the dark web collected from previous data breaches. These stolen personal records often hold mobile phone numbers
3. Identity theft: The fraudster now has all of the identity claims needed to perform identity fraud
4. SIM swap request: The fraudster calls the operator and uses the target's identity claims, such as name, address and so on to convince the operator to move and activate the existing phone number to a SIM card of the fraudster
5. Control and commit fraud: The fraudster now controls the target's phone number and can commit fraud

Once a fraudster has control of a phone number, they will receive all of the communications that the phone normally receives. This includes SMS texts and voicemails. This gives the fraudster access to SMS PIN second-factor authentication (2FA) and potentially sensitive information from callers. Once a fraudster has this level of detail about a person’s identity, as well as potentially their second factor for logging into accounts (including some financial institution accounts), the attacker can go to town.

Can you just switch SIM cards between phones?

Consumers need a SIM swap service. However, the level of SIM swap fraud points to the fact that switching SIM cards between phones is insecure. The ease at which this fraud occurs points to a fundamental issue in identity verification. The ways that SIM fraud occurs include:

Poorly implemented identity checks

By the time the fraudster makes the SIM swap request, they will have already accessed user identity data. If the identity checks made to identify the caller requesting the SIM swap are not thorough enough, the scam will be successful. Several operators have been called out on poor identity checks during a SIM swap request.

Insider threat

Insider threats are believed to be common in 68% of organizations. Cybercriminal gangs can recruit insiders in mobile phone operator help centers and use them to circumvent identity checks.

Malware and phishing

Phishing emails targeting privileged users can be used to steal operator login credentials. Malware is then installed giving the fraudsters remote access to the operator’s system and any SIM card data and process.

SIM swap detection 

There is rarely, if ever, a “silver bullet” when it comes to security. Usually, you have to use a multi-pronged approach to preventing fraud. Identity theft is certainly a case for using multiple measures of protection. To make a SIM swap process more secure, an operator can implement:

• Robust identity verification: The user who requests the SIM swap should meet a high level of assurance. This could potentially be performed using an identity service that provides a verified high assurance identity to the operator during the SIM swap process. Federated identity login using identity hubs can facilitate this
• Real-time SIM swap detection: There are several solutions that provide analysis against several criteria to check a SIM swap request. These include checks to see if a phone has been reported lost or stolen; does the phone have roaming in place; is the phone using call-divert; and other possible indicators of fraud

Tips to protect yourself

SIM swap detection is a vendor-led initiative. However, some things can be done on the user end to help reduce the risk of SIM swap fraud:

1. Do not overshare on social media: Avoid giving out personal details and travel plans on social media
2. If available, use a PIN or password to log into your cell phone account
3. Understand how phishing works and avoid the loss of personal data
4. Any high-value accounts you have, such as bank accounts, should use robust login credentials wherever possible and avoid the use of SMS text messages as a second-factor. This is not always possible, of course, and must be supported by the service
5. Watch out for any significant changes to the operation of your mobile; highly suspicious is an inability to connect to any network in a place you’d normally have a strong signal — this could be a warning of a SIM swap in progress

Moving a SIM card is a service that is needed by consumers. People lose and buy new phones. But the process to move that phone needs to be reviewed. 

Mobile device phone numbers are included in the wider digital identity ecosystem; mobile numbers are often associated with identity accounts or other online accounts, often used as a second-factor authentication method and an identity attribute. Phones also collect personal and sensitive data. As such, mobile numbers to be viewed as sensitive information and any process associated with that number made as secure as possible.

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

VIEW PRICING

Sources

• Mobile Fact Sheet, Pew Research
• Number of smartphone users worldwide from 2016 to 2021 (in billions), Statista
• 'Sim swap scam saw £80,000 swiped from my bank account': Received notice your mobile number is being moved away without request? Here's why it could be fraud..., This is Money
• Clonagem no WhatsApp: mais de 5 mil já sofreram este golpe no Brasil, uol.com
• EE slammed over ‘totally inadequate’ security, The Guardian
• 2020 INSIDER THREAT REPORT, Cybersecurity Insiders