itb-au logo
Story image

SIM swapping: What is it and should you be worried?

29 Apr 2019

By Yubico chief solutions officer Jerrod Chong

Cyber criminals are using a simple trick to steal people’s mobile phone numbers, move them to a different SIM card, and then use the stolen number to gain access to the victim’s other personal information, including their bank and government service accounts.

This technique is called SIM swapping and due to the growing reliance on mobile phones, this vehicle is increasingly targeted as a way to take over a person’s account.

In most cases, threat actors only need a target’s account number and date of birth, that can easily be obtained through social media, to make this type of request from a mobile carrier. While these attacks are surprisingly easy to execute, it can wreak havoc for those who unknowingly fall victim to a ‘SIM swapping’ scam. 

Most important accounts rely on some form of two-factor authentication to gain access, and in many cases, the user or service provider will select SMS codes as the default authentication method.

This involves receiving a text message code to log into the account, in which case porting someone’s mobile phone number can give criminals easy access to an individual’s digital life.

A Sydney woman’s tale of woe hit the headlines last year when her mobile phone was taken over and fraudsters rapidly set about stealing her identity.

Armed with her name, date of birth and mobile number, the attackers called the Optus call centre without her knowledge and secretly swapped her number to a SIM card they had in their possession.

It is assumed that the attackers took her personal details, such as her date of birth, from her Facebook account.

The victim received two text messages from Optus confirming that her request to change networks had been actioned and then her phone was disconnected.

She'd just been a victim of SIM swapping without being able to make a call or access data.

Meanwhile, the fraudsters set about breaking into her social media accounts, including her Facebook and email, where she stored many important personal documents such as passport scans.

They made several calls using Kate's number and changed the password of her email and many other accounts.

Optus is not the only target of SIM swapping attacks in Australia, as other telco operators have also been tricked several times.

The relative ease with which hackers can execute SIM swaps poses serious questions about the level of security clearance mobile phone providers enforce.

Since the goal for customer service representatives is to provide an excellent user experience in the timeliest fashion, being security-vigilant is not a top priority.

This makes this type of social engineering relatively easy to pull off.

The Australian Competition and Consumer Commission’s (ACCC) latest ‘Scamwatch’ data revealed that Australians lost nearly ten million dollars to scammers in February 2019 alone. A total of 16,399 scams were reported, with financial losses accounting for 8.8% of those reported scams.

Unfortunately, many more go unreported due to a victim’s feelings of shame.

SIM swapping attacks happen far more often than most people realise, which is why it’s important to understand how they work and better yet, how to prevent them from happening.

The good news is that many services now offer users the option to secure their accounts with methods beyond basic SMS.

These can include mobile authentication apps, built-in biometrics and hardware authenticators such as security keys.

While each method has its pros and cons, security keys (based on the FIDO U2F and FIDO2/WebAuthn open standards) are becoming increasingly popular among services like Google, Twitter, Facebook, Microsoft and Dropbox.

By requiring physical access to a device to successfully log in to online accounts, it eliminates the threat of remote scalable attacks.

In addition, the technical specifications of the FIDO U2F and FIDO2/WebAuthn standards are built to implement advanced security checks, such as verifying the origin of the site, which protects unsuspecting users from falling victim to phishing and ‘man-in-the-middle’ attacks.

In these scenarios, the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other

Story image
IDTechEx: the role of emerging tech in fighting COVID-19
2020 will go down in history for the year of the global pandemic, but also for the rise of innovative digital technologies.More
Story image
Cybercriminals are leveraging AI for malicious use
"At a time where the public is getting increasingly concerned about the possible misuse of AI, we have to be transparent about the threats."More
Story image
VMware makes enterprise blockchain platform available
The solution provides an extensible and scalable enterprise-grade platform to unlock data silos and free up data to flow securely, privately and instantaneously.More
Story image
Hybrid cloud is the ideal IT infrastructure model, says majority of IT execs
76% of surveyed IT decision-makers reported thinking more strategically about IT because of the pandemic, and nearly half (46%) have increased investments in hybrid cloud as a direct result of COVID-19.More
Link image
Join Nintex on 3 December for Workflow Wonders: TLC for Kids
TLC for Kids is a charity that puts smiles back on childrens’ faces during times of illness. Learn how the charity leverages Nintex to free up resources so it can focus on what really matters. Nintex will donate A$5 for each registration to TLC for Kids! Find out more.More
Story image
Organisations struggling to realise full business value from cloud investments
“Our study shows a surprisingly small two-year improvement in returns on corporate cloud initiatives, suggesting that a more thoughtful and holistic approach is needed to fully unlock the value of cloud.”More