Do you appreciate thrillers with high-tech elements? Irrespective of your taste, if you find out that your mobile phone number is compromised, you might potentially find yourself in a techno-drama of your own.
You might wonder how this could happen. The answer is that SIM swap attacks are getting more popular with time. You must wonder what a SIM swap attack is? Let’s find out.
What is SIM Swapping?
SIM swapping is quite common these days. It begins with a fraudster impersonating you as he contacts your mobile carrier. He will ask them to activate a new SIM card for your account by answering security questions and a few personal details. It results in the victim losing thousands of dollars before he even realizes something is wrong.
Fraudsters gain control of a mobile phone account through a combination of social engineering techniques and internet surveillance. They exploit to gain access to the bank account of the targeted victim using their device.
Simply put, hackers who gain control of your cellphone to target your bank account ultimately — and such instances, have increased dramatically in the last five years.
Data is a goldmine for bad actors. The motive is not always financial but could involve disrupting your social status in the long run.
The Taxonomy of SIM Swap Fraud: How it works?
Step 1: The attacker obtains personal details through several social media platforms or other social engineering techniques, such as phishing.
Step 2: The hacker calls your carrier, thus impersonating the targeted victim.
Step 3: The hacker tricks the service provider into switching the number of the victim to the hacker’s cell phone device.
Step 4: Since the hacker gets what he wants, he is now in charge of your phone (texts, codes through SMS 2FA, and calls), including bank information and other relevant financial apps.
Key stats indicate SIM swap is the next global issue:
- SIM swap fraudsters plundered over 100 million USD in the United States in 2020. Eight individuals from the UK and many more from other countries in Europe got arrested concerning a crime ring that targeted thousands of victims in the US. The majority of victims were sports icons, crypto influencers, celebrities, and their families.
- In the first half of 2020, Action Fraud in the UK received nearly twice as many reports of SIM switch fraud as in the same period the previous year.
- A single victim was defrauded with over 24 Million USD by a 15-year-old teenage evil mastermind, Ellis Plinsky.
- A group of accomplices stole $23 million in bitcoin from Michael Terpin in 2018 by executing SIM swap fraud and monitoring authentication communications to gain access to his digital wallet.
- Attempts to switch SIM cards are victorious in four out of five cases. Major US carriers utilize insecure authentication that enables a potential attacker to swap SIM even if he fails many challenges, Princeton University researchers.
Summing up, your security is your responsibility. Last year, the average amount taken in the US was 2K-2M USD. Also, it is not just celebrities and crypto millionaires who are at risk. Anyone with money in their account is vulnerable to these attacks as well. Because the most common incentive for SIM swap is financial gain, scammers seek to target victims who have assets or investments from which they can make withdrawals quickly.
What are the telltale indicators of a SIM swap scam?
If you detect any of the following warning indicators, contact your cell phone company right away:
- Contact your mobile carrier right away if you find yourself locked out of your online phone service.
- Even with superb coverage, there is no cell phone service. Contact your provider if you are not receiving calls or messages like usual.
- Contact your mobile carrier if you see notifications from phone services you do not recognize.
Be on the lookout for suspicious behavior notices. These signs are indicators of SIM swap and for you to stay cautious.
A detailed perspective: How to prevent SIM swap?
All carriers get genuine SIM switch requests. It usually occurs when a client has misplaced their cell phone or needs to upgrade to a new device that needs a new SIM card size. For example, a small detachable smart chip that connects the device to a phone number.
However, even low-skilled crooks may use unauthorized SIM swaps to quickly turn the life of the victim upside down and take control of the majority portion of their identities and connected finances (plus social status).
Furthermore, security methods offered to wireless consumers worried about SIM porting/swapping, such as PIN (personal identification number) codes, are typically useless against dishonest or inexperienced mobile phone store staff.
Even if the victim has changed the password, a successful SIM swap may allow tormentors to access the victim’s email account. Some email services enable the customers to reset their passwords SIMply by providing information that is likely only known by the legitimate account owner. Such as the date of account creation, the title of a custom folder or label recently created.
Limit the chance of SIM swap
- Scammers may use social engineering techniques such as phishing emails to access your personal information and impersonate you. To decrease risk, sanitize your internet presence.
- Set a different PIN or passcode for your conversations through your carrier to add an extra layer of security. AT&T and T-Mobile allow it, whereas Verizon requires a changeable PIN. Never use an obvious PIN, such as an anniversary, birthday, or address, and save PINs in a password manager if possible. You can also transit to a more secured carrier like EFANI that guarantees SIM swap protection.
- Follow the FTC guidelines to avoid identitytheft.
- Limit the amount of personally identifiable information you post on the internet. Keep your personal information to a minimum. Fraudsters will cling to the tiniest details in an attempt to fool your carrier into believing they are you. Your full name, address, phone number, and birth date should be kept private. Avoid oversharing personal information on social media. Most of these facts are likely to have been included in the online security questions used to authenticate your identity.
- Abandon SMS backed 2FA.
- Create IDs that do not include your phone number. Avoid relying entirely on your phone number for identity and security authentication, including text messaging (SMS). Text messaging is not encrypted, making it subject to SIM switch fraud and other threats.
- Look out for banks, shops, and other online services that use behavioral analysis technologies to detect compromised devices and call-backs to prevent identity theft.
Here are a few advanced measures:
- Some people use SIM swapping as a reason why two-factor authentication is not necessary. However, on the contrary, SIM hack fraud is a reason to use strong authentication, such as deploying a security key for physical authentication.
- Physical authentication is preferable to ordinary 2FA since it requires both – a password and a tangible token. A hacker must physically steal the token to access it.
- When adopting MFA, it is critical to enforce at a minimum NIST Assurance Level-2 for administrative operations. It entails two steps: knowing something, such as a password or code, and having something, such as a push notification or an OTP issued by a registered device.
- Increase to NIST Assurance Level-3 for most essential assets where practicable. It entails 2FA, a password, & a hardware-based cryptographic token, a FIDO key, or a smart card.
- Strong authentication establishes a user identification as trustworthy. The chances of a social engineering assault through SMS or phone call are slim when the user identity and infrastructure are confidential.
- Never trust your phone for sensitive accounts. It is better to erase your phone number if at all possible. It can be hard at scale, but it may be vital for high-value targets.
Take-Home Message: How can EFANI help?
Hackers cause chaos all around the world by stealing money and personal information. They have a variety of techniques, including automated scripts, that allow them to attack your computer every 39 seconds, or 2,244 times a day on average. And if you hold cryptocurrencies, you are giving cyber-criminals another incentive to attack you, as financial motives account for more than two-thirds of all breaches.
As a result, it is critical that you follow recommended security practices, sometimes known as cybersecurity hygiene, to improve your odds of avoiding an online threat. Efani provides solid cyber solutions to curb the growth of the threat landscape in SIM swap fraud.
Efani discourages hackers in their tracks and blocks all swaps by default by enforcing an 11-layer propriety military-grade client layer authentication. It requires a 14-days cool-off period before SIM swapping. Any change must be approved by multiple staff members and run through a rigorous manual process.