SIM Swapping Identity Theft and How To Protect Your Accounts
Canadians are targets as SIM card swapping scams increase in 2019.
Vancouver entrepreneur Sefton Fincham was a victim of SIM swapping this year while on a business trip to the US. He said the “signal changed suddenly” on his phone and then there was no service. He was completely mystified and worked, with no immediate success, to resolve the issue with his phone company. Meanwhile, hackers were changing his social media accounts and accessing his financials.
SIM card fraud is trending, it’s happening right here in BC and the lower mainland, and Canadians should learn how it works and take steps to ensure their mobiles are secure.
SIM Swap fraud – what is it?
Ciphertrace Q4 reports increases in successful SIM swapping, an identity theft technique that takes over a victim’s mobile device allowing hackers to steal credentials, change passwords, and break into wallets or exchange accounts, to steal cryptocurrency.
Security software developer SOPHOS explains the scam this way: A new phone can take over your old number because the number is actually tied to your SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone to the network.
Like many other cybercriminal activities that have proven successful, SIM swapping scams are increasing.
And they are incredibly profitable.
Ciphertrace Q4 2018 states that, “the amount of money stolen through scams and theft increased by 300% over the last year to about $1.7 Billion.
Victims often don’t know they’ve been hacked before it’s too late.
The victim’s phone will display “no carrier” and will not allow incoming or outgoing calls. Users who communicate primarily through texts, or who are otherwise disengaged from their device temporarily have no idea they’ve lost their subscriber identity and access to any platforms the attacker has commandeered.
Who are the targets?
Thieves primarily target people who are active in the cryptocurrency community such as cryptocurrency related startups, virtual currency dealers, and blockchain enthusiasts but it’s not only wealthy bitcoin entrepreneurs who are being targeted.
Detective Caleb Tuttle, an investigator with the California REACT task force on cybercrime, says, “Most of the victims are not millionaires. Most are people who are having their life’s savings or their child’s college savings, stolen. They’re victims who have families and 9-5 jobs, and who got into the crypto space because they were investing and trying to make ends meet. We only tend to hear or read about these attacks when they result in millions of dollars in losses. But the reality is there are a lot of thefts involving much more diminished accounts, that are really negatively impacting people’s lives.”
REACT investigators also report that it is not only easy for criminals to carry out a SIM swap (compared to breaking into a computer network), but it’s much easier for them to steal crypto funds even when they can access traditional bank accounts during the SIM swap.
How it works. Convenience versus security.
It’s a common practice for customers to call and legitimately request replacement of a damaged SIM card or a differently sized SIM card for a new phone. Two-factor authentication measures whereby users confirm their identity over their mobile phones has, until recently, made that transaction secure and convenient.
A SIM swapping attacker cleverly and deviously takes advantage of that two-factor authentication by learning a victim’s personal details and impersonating them as they make the SIM swap request to the mobile carrier. When successful the carrier simply transfers your data to the hacker’s SIM card.
Social engineering is key to the success of an account takeover. What have you shared on social media?
Personal information can be gleaned from many sources arming criminals with enough data to impersonate an account holder and trick carrier support centre staff into allowing a caller to swap out a SIM. It’s that easy.
Your mother’s maiden name, your birthday, schools you attended, your kids’ names, your cell phone number, and lots of other information appears on sites like Twitter, Instagram, Facebook, and LinkedIn.
Sympathetic carrier support centre staff wants to make what is a reasonably common transaction, go as smoothly as possible. Too often however they let an apparently memory-lapsed caller be “close enough” to answering all the challenge questions before allowing them to swap out a SIM.
Occasionally, carrier support personnel are working with the cyber criminals for a cut of the take or for a bribe.
When attackers have successfully carried out the swap, they can port a user’s phone number into their own device and can then receive the second part of the authentication procedure, the SMS message intended to confirm the identity of the real user and change that user’s password.
Once in control, although the attackers have access to everything, their prime target is the cryptocurrency wallet.
How to protect your SIM
Mobile providers and their significant vulnerabilities – mobile store employees – are entirely attached to your security. Unless you disconnect your mobile phone number from all SMS-based authentication, you will continue to be susceptible to attacks.
These solutions offer more security than SMS based authentication:
- Employ an Internet-based telephone service such as Google Voice. Google Voice lets users choose a phone number that gets forwarded to their Google account and any calls or messages to that number will then be sent to their mobile number.
- Add a secondary security code or PIN to your mobile account by calling your provider or by doing it online. Each carrier handles secondary security codes differently but make your code more than 4 – 6 digits and keep a backup of the new code.
- Explore options like the hardware authentication device YubiIKey Authenticator or software token Google Authenticator, which generates one-time passcodes for access to sites of your choosing. Using the Time-based One-time Password Algorithm. (TOTP)
- Review all of your social media platform privacy settings and uncheck those that allow viewers to contact you via your primary mobile number.
As with all security procedures, a layered approach is the most effective way to protect your date.
If you have questions about mobile security, and keeping your data safe, please contact the team at Netcetera. We are always willing to help.