SIM Swapping Attacks – What They Are and How to Protect Yourself
The inadequacy of passwords alone to protect logins to applications and services has led many companies to harden access by using additional authentication factors. In trying to balance security with user experience, many companies have opted for one-time codes sent to smartphones as a convenient second way to verify user identities.
Ever keen to adapt their tactics, today’s threat actors have devised a way to exploit the prevalence of smartphones in managing cyber risk through SIM swapping attacks. Read on to find out what SIM swapping attacks are and how to protect yourself.
What is a SIM swapping attack?
SIM swapping attacks occur when a fraudster convinces a mobile carrier to transfer a victim’s phone number and account to a new SIM card under the fraudster’s control. A subscriber identity module (SIM) is a card that acts like a portable memory chip, storing information that associates a particular device with a customer account. Social engineering techniques are critical to the success of SIM card swapping attacks, as hackers must convincingly impersonate the victim and persuade the mobile operator’s customer service agent to perform the change.
Often the pretext used in these scams is to call the telephone company and inform the customer service agent of a lost or damaged SIM card. The threat actor then asks for the customer’s phone number to be ported to a new SIM card that he bought in the store. Another potential excuse is that the customer apparently purchased a new device that requires a different type of SIM card.
Some phone companies have additional security measures in place to verify a customer’s identity before moving a phone number and account to another SIM card. The usual process is to request a date of birth, address, or perhaps a personal identification code (PIN) for verification. Unfortunately, threat actors tend to find this information about individual victims using a range of possible methods, including online searches, dark web data leaks, malware, and emails from phishing.
Potential Consequences of SIM Swapping Attacks
When SIM swapping attacks are successful, attackers can then take control of a customer’s mobile phone account and receive all text messages or phone calls intended for that person. This cell phone number hack is bad news for several reasons:
- Bypassing MFA: Multi-factor authentication plays an important role in modern authentication by requiring two or more categories of proof to verify the identity of users when logging into applications and services. In a world where a combination of username-password pairs and one-time codes sent to smartphones is the most popular MFA implementation, taking control of someone’s phone number can help circumvent MFA (as long as the fraudster also has the victim’s password and username as well).
- To hit : Another consequence of SIM swapping attacks is the ability to conduct other social engineering tactics, such as smishing. After partially assuming a person’s identity by taking control of their phone number, hackers can text the victim’s contacts, such as co-workers, and trick them into revealing confidential information.
- Fraud: When online banking, cryptocurrency, or other financial accounts are tied to particular phone numbers, fraudsters can also initiate fraudulent transactions.
SIM card swapping attacks: statistics and incidents
A February 2022 FBI Public Service Announcement highlighted an increase in SIM card swapping programs targeting US citizens. These schemes typically involved stealing money from fiat (government-issued currency not backed by a commodity such as gold) and virtual currency accounts. In 2021 alone, the FBI’s Internet Crime Complaint Center (IC3) received more than 1,600 complaints about SIM card swapping attacks, with losses amounting to more than $68 million.
Probably the most high-profile example of a SIM swapping attack occurred in 2019 when hackers broke into Twitter CEO Jack Dorsey’s own Twitter account. Actress Jessica Alba and civil rights activist DeRay Mckesson were other high-profile victims.
In 2021, 10 people who were part of an international SIM card swap network were arrested after stealing up to $100 million from US citizens. These SIM-swapping attacks have targeted thousands of individuals, from influencers to sports stars and their families. A year-long collaborative investigation between law enforcement agencies from five countries has resulted in 10 arrests.
How to protect against SIM swapping attacks
SIM-swapping attacks naturally cause concern among cybersecurity officials, researchers, and the general public. In a complex cyber-threat landscape, SIM swapping is frighteningly simple yet quite effective, as demonstrated by statistics published by the FBI and notoriety of some victims.
So what can you really do to protect against SIM swapping attacks? Here are a few tips.
- Organizations should consider other MFA implementations that are less easy to leverage. Tying app logins to biometric scans or tokens in a user’s physical possession would provide additional security, with perhaps only a slight impact on the user experience.
- Individuals should limit the information they share on social media platforms, including professional networking sites like LinkedIn. It is prudent to opt for the most restrictive privacy settings so that only existing friends can see certain information. Consider not posting certain information at all, such as phone numbers or addresses.
- Effective password hygiene practices can help ensure that users do not expose their accounts to possible takeover. These practices include not reusing the same passwords across multiple services and setting strong passwords that are not easily cracked.
- Mobile operators should invest appropriately in e-learning and awareness raising for customer-facing staff who process SIM card change requests. After all, the success of SIM swapping attacks relies on social engineering, and education can go a long way in reducing the chances of success here.
The post SIM Swapping Attacks – What They Are and How to Protect Yourself appeared first on Nuspire.
*** This is a Nuspire Security Bloggers Network syndicated blog written by the Nuspire team. Read the original post at: https://www.nuspire.com/blog/sim-swapping-attacks-what-they-are-and-how-to-protect-yourself/