Austin Berglas at BlueVoyant explains what SIM-swapping is and how you can mitigate the risk
Last week, the FBI released a public service announcement advising the public and mobile carriers of the ongoing threat of SIM swapping used to steal fiat and virtual currency. These scams, the FBI said, earned criminals $68 million in 2021 alone, and are on the rise.
SIM swapping is not new, but it is escalating. Last year saw the dismantling of multiple high-profile SIM-swapping schemes, from Europol’s arrest of 10 hackers accused of hijacking celebrities’ phones, to an international operation that led to the arrest of a Canadian teenager who stole $36.5 million of cryptocurrency in a targeted SIM swap attack. Just a few days after the FBI’s announcement, news emerged that Spanish police had arrested eight people suspected of running a SIM-swapping ring.
However, despite the efforts of law enforcement, it is important that individuals understand the risk posed to them by SIM-swapping, how to recognise it, and steps they can take to help prevent an attack.
What is SIM swapping?
Subscriber Identity Module, or SIM, is a small memory chip contained in a mobile device that stores information associated with the owner of the device. Easily transferred from device to device, SIM cards contain a string of unique numbers which allows for your mobile carrier to attribute a specific device to a specific person – once transferred to a new device, personal settings and contacts will most likely transfer as well.
Physical transfer of the SIM card is not the only way to switch phones. What would happen if your SIM card failed and you had to buy a new one? The phone owner would have to call the mobile carrier and ask them to assign the new SIM card to their existing phone number. The owner would most likely have to answer some security questions and perhaps provide a PIN in order to verify they are in fact the legitimate owner of the phone.
How and why does it happen?
SIM swapping requires effort. Historically, high net worth individuals and people in positions of power and influence have been targeted, but recently, SIM swapping has become more widespread.
Criminals have utilised blackmail, bribing and social engineering to gain access to a customer’s device. A common method is for the criminal to build a profile of the current customer which contains enough personally identifiable information (PII) to falsely authenticate themselves to the carrier’s customer service representative. This PII can be easily and cheaply purchased online in dark web marketplaces and from dark web automated vending machines.
Perhaps we are seeing an increase in these types of crimes because of the increased law enforcement focus on Ransomware gangs. For many years, Ransomware has been the top cybercriminal threat, but with increased global pressure for nations to crack down on individuals and groups conducting Ransomware attacks, cyber criminals may be focusing their efforts elsewhere looking for a safer pay day.
Strictly for financial gain, once criminals gain control over a victim’s phone number they would use stolen banking credentials to log into mobile banking applications or cryptocurrency wallets to start a withdrawal. They would be able to validate with a one-time password sent by the financial institution via text message to the phone number they recently took over.
How can you mitigate the risk?
The scary thing about SIM swapping is that the victim rarely does anything wrong – they never clicked on a phishing link or entered personal information into a fake website. Clear signs that you have become a victim of a SIM swap are that affected phones will no longer be able to make calls and will have no reception.
Although it is hard to be super vigilant about a threat that is sometimes beyond the user’s control, there are ways to mitigate the risk. It is important for individuals to establish a PIN code for their mobile carrier account. This can add a protective boundary for attacks that are launched using their stolen PII.
Another option is using authentication applications over SMS-based two-factor authentication. These authentication apps can be associated with a physical device, not just a phone number. A benefit – besides not having an SMS message hijacked – is that the individual will have all the codes in a central location and that they are available all the time, even when the phone is offline.
Other ways include using a physical authentication key for critical accounts and ensuring vigilance, as major service disruption such as failed message delivery should be addressed urgently by reporting the situation to your service provider, monitoring passwords of online accounts and checking bank account transactions.
It is also important to highlight that the rise of SIM-swapping is a key reason why a phone number may not be the best verifier of a person’s identity as it represents a hole in the authenticator process. The nature of the attack allows hackers to scam the contacts of a SIM-swapped number, creating the opportunity for further SIM-swaps and financial gain.
The FBI’s public service announcement, in combination with increased law enforcement activity around this scamming method, is a positive sign that the threat of SIM-swapping is being taken seriously. As ever, though, there are a few cyber-hygiene steps that individuals can take to help ensure that they and their phone won’t be the next target.
Austin Berglas is Global Head of Professional Services at BlueVoyant
Main image courtesy of iStockPhoto.com