itb-au logo
Story image

SIM swapping: What is it and should you be worried?

29 Apr 2019

By Yubico chief solutions officer Jerrod Chong

Cyber criminals are using a simple trick to steal people’s mobile phone numbers, move them to a different SIM card, and then use the stolen number to gain access to the victim’s other personal information, including their bank and government service accounts.

This technique is called SIM swapping and due to the growing reliance on mobile phones, this vehicle is increasingly targeted as a way to take over a person’s account.

In most cases, threat actors only need a target’s account number and date of birth, that can easily be obtained through social media, to make this type of request from a mobile carrier. While these attacks are surprisingly easy to execute, it can wreak havoc for those who unknowingly fall victim to a ‘SIM swapping’ scam. 

Most important accounts rely on some form of two-factor authentication to gain access, and in many cases, the user or service provider will select SMS codes as the default authentication method.

This involves receiving a text message code to log into the account, in which case porting someone’s mobile phone number can give criminals easy access to an individual’s digital life.

A Sydney woman’s tale of woe hit the headlines last year when her mobile phone was taken over and fraudsters rapidly set about stealing her identity.

Armed with her name, date of birth and mobile number, the attackers called the Optus call centre without her knowledge and secretly swapped her number to a SIM card they had in their possession.

It is assumed that the attackers took her personal details, such as her date of birth, from her Facebook account.

The victim received two text messages from Optus confirming that her request to change networks had been actioned and then her phone was disconnected.

She'd just been a victim of SIM swapping without being able to make a call or access data.

Meanwhile, the fraudsters set about breaking into her social media accounts, including her Facebook and email, where she stored many important personal documents such as passport scans.

They made several calls using Kate's number and changed the password of her email and many other accounts.

Optus is not the only target of SIM swapping attacks in Australia, as other telco operators have also been tricked several times.

The relative ease with which hackers can execute SIM swaps poses serious questions about the level of security clearance mobile phone providers enforce.

Since the goal for customer service representatives is to provide an excellent user experience in the timeliest fashion, being security-vigilant is not a top priority.

This makes this type of social engineering relatively easy to pull off.

The Australian Competition and Consumer Commission’s (ACCC) latest ‘Scamwatch’ data revealed that Australians lost nearly ten million dollars to scammers in February 2019 alone. A total of 16,399 scams were reported, with financial losses accounting for 8.8% of those reported scams.

Unfortunately, many more go unreported due to a victim’s feelings of shame.

SIM swapping attacks happen far more often than most people realise, which is why it’s important to understand how they work and better yet, how to prevent them from happening.

The good news is that many services now offer users the option to secure their accounts with methods beyond basic SMS.

These can include mobile authentication apps, built-in biometrics and hardware authenticators such as security keys.

While each method has its pros and cons, security keys (based on the FIDO U2F and FIDO2/WebAuthn open standards) are becoming increasingly popular among services like Google, Twitter, Facebook, Microsoft and Dropbox.

By requiring physical access to a device to successfully log in to online accounts, it eliminates the threat of remote scalable attacks.

In addition, the technical specifications of the FIDO U2F and FIDO2/WebAuthn standards are built to implement advanced security checks, such as verifying the origin of the site, which protects unsuspecting users from falling victim to phishing and ‘man-in-the-middle’ attacks.

In these scenarios, the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other

Story image
COVID-19 employment engagement surveys released
Free templates for emergency response employment engagement surveys have been created to help support organisations throughout the COVID-19 outbreak. More
Story image
LINE Corporation chooses Cloudera to advance data and AI powered R&D
LINE Corporation has selected Cloudera to develop its AI technology based business and further empower its Data Science and Engineering Centre (DSEC), thus strengthening its data-driven business objectives.More
Story image
Acronis appoints new APAC General Manager and launches Partners Programme
One of Morarji’s first objectives has been to launch the new Acronis Partner Programmes in APAC, in which the Acronis team will help channel partners and managed service providers (MSPs) expand their portfolios and deliver fast ROI.More
Link image
COVID-19: The tools ensuring security for remote working
Cyber threats are multiplying during the pandemic, and remote workers are at a heightened risk of cyber attack. Here are the security solutions to defend against the wave of virus-related threats.More
Story image
Interview: RSA explains security in the epoch of IT disruption
We discussed cybersecurity in terms of how it fits into business continuity, as well as the threat landscape, and what RSA is currently doing to assist businesses that need protection.More
Story image
Lenovo announces new edge and Azure cloud-tiering solutions
The solutions, say DCG, were designed in response to the ever-increasing number of connected IoT devices and the masses of data this creates from edge to the core.More