/
FINAL WORD
The enemy in your
pocket: large-scale
SIM swap fraud
With SIM swap fraud nowadays conducted on a large
scale, Fabio Assolini, Senior Security Researcher, Global
Research and Analysis Team, Kaspersky Lab, tells
Intelligent CIO how cybercriminals complete the fraud
and the best ways to avoid being the next victim.
M
obile payment is huge worldwide.
Mobile phone-based money
transfers allow users to access
financing and micro-financing services,
to deposit, withdraw and pay for goods
and services easily with a mobile device.
In some cases, almost half the value of a
country's GDP goes through mobile phones.
But nowadays these mobile payments are
suffering a wave of attacks and people are
losing their money – all powered by SIM
swap fraud. Such attacks are nowadays
conducted on a large scale.
SIM swap fraud is a type of account takeover
fraud that generally targets a weakness in
two-factor authentication and two-step
verification, where the second factor or
step is a SMS or a call placed to a mobile
telephone. The fraud centres around
exploiting a mobile phone operator’s ability
to seamlessly port a telephone number to a
new SIM.
This feature is normally used when a
customer has lost or had their phone stolen.
Attacks like these are now widespread, with
cybercriminals using them not only to steal
credentials and capture OTPs (one-time
passwords) sent via SMS but also to cause
financial damage to victims.
Criminals can hijack your accounts by
having a password reset sent to your
phone. They can trick automated systems
– like your bank – into thinking they’re
you when they call customer service.
And worse, they can use your hijacked
number to break into your work email and
documents. And these attacks are possible
because our financial life revolves around
mobile apps that we use to send money,
pay bills, etc.
74
INTELLIGENTCIO
How the cybercriminals do it
The scam begins with a fraudster
gathering details about the victim by using
phishing emails, by buying information
from organised crime groups, via social
engineering or by obtaining the information
following data leaks. Once the fraudster
has obtained the necessary details they
will then contact the victim’s mobile
telephone provider. The fraudster uses
social engineering techniques to convince
the telephone company to port the victim’s
phone number to the fraudster’s SIM, for
example, by impersonating the victim and
claiming they have lost their phone. They
then ask for the number to be activated on
a new SIM card.
After that, the victim’s phone loses
its connection to the network and the
fraudster receives all the SMSs and voice
calls intended for the victim. This allows
the fraudster to intercept any one-time
passwords sent via SMS’s or telephone calls
made to the victim; all the services that rely
on an SMS or telephone call authentication
can then be used.
We have found that some of the processes
used by mobile operators are weak and
leave customers open to SIM swap attacks.
For example, in some markets in order to
validate your identity the operator may
ask for some basic information such as full
name, date of birth, the amount of the
last top-up voucher and the last five
numbers called.
Fraudsters can find some of this information
on social media or by using apps such as
TrueCaller to get the caller name based on
www.intelligentcio.com