Sim swap fraud – an attack in multiple stages

With ever more finance and ecommerce apps present on our smart phones, SIM swap fraud is a lucrative choice for fraudsters looking to gain access to victim accounts, credit cards, and personal data. Online account providers, from social media to ecommerce and banks, frequently encourage users to add a mobile phone number as part of their “two-factor authentication” strategy in order to secure their users’ account access or before allowing users to carry out financial transactions. The mobile phone number linked to the user account is then used to validate that future attempts to access services are made by the genuine customer. But what if a third party has managed to gain control of this number?

SIM swap fraud is largely made possible due to the fact that customers are able to switch SIMs while carrying their current phone number with them. Fraudsters exploit this possibility, calling network operators and posing as the victim claiming to have lost their SIM card or needing switch to a new provider. If the fraudster successfully passes the security questions asked by the operator, they will be able to transfer the victim’s phone number over to a SIM card in their control.

As additional personal information about the victim is required in order to complete this kind of attack, SIM swap fraud is frequently the second stage in a wider fraud attack usually starting with targeted social engineering. Potential victims are identified and targeted with phishing emails or calls seeking to discover personal data including passwords and secret answers.

Victims often struggle to tell the difference between these highly personalised and sophisticated requests for information against legitimate communications from their bank or websites they frequently use. Key information such as full names and dates of birth can also be gained by searching social media or other public websites allowing a potential fraudster to quickly complete a profile of their intended victim or victims. This research stage of the attack will often help the fraudster discover which banks or ecommerce sites are used by the victim, and so the fraudster will know which companies to target once the SIM swap stage of the fraud has been successfully carried out.

Once the fraudster has control of their victim’s phone number, relatively unlimited access is available to any of the victim’s accounts that use SMS messaging as the second factor for authentication. Security texts will be sent to the number now in the fraudster’s control, locking the victim out of their phone and their accounts. When successfully combined with social engineering, SIM swap fraud can lead to the equivalent of a “device takeover” attack as the victim’s Apple account, for example, can be set up on a new iPhone in the fraudster’s control. This is made possible as long as the fraudster possesses all of the vital security answers which will have been gathered during the social engineering stage of the attack and may allow the fraudster to go as far as adding a new fingerprint ID to the victim’s Apple account. At this stage, all of the victim’s iPhone apps, and therefore financial data stored within those apps, are in the fraudster’s hands.

While the victim is likely to detect the issue relatively quickly when access is lost to their phone number and device settings, putting it right and regaining control of their identity can prove a time-consuming problem while operators and account providers seek to confirm the true identity of the customer. This additional time allows the fraudster to complete their attack and drain the victim’s accounts or gain further personal data for carrying out future attacks such as setting up new fake financial accounts in the victim’s identity.

Online account providers, particularly in the financial services industry, can look for risk indicators such as a change in device behaviour to identify a change in identity behind the account access. This may lead to taking additional precautionary and verification steps before sending a second-factor text message to a number under the control of a fraudster. Providers may also wish to consider the use of app-based authentication where the device itself, rather than the phone number, forms part of the authentication. When a significant change in device or device settings is detected, additional steps can be taken before sending the authentication code to prevent a fraudster from intercepting this valuable code.

Users can also limit the potential for their own accounts being caught in such an attack by limiting the amount of information they reveal about themselves online and exercising caution when receiving emails or calls purporting to be from their bank. By avoiding the social engineering stage of the attack, the potential for a fraudster to carry out a SIM swap is greatly reduced. Victims may also become aware that they have become the victim of SIM swap fraud when they lose phone signal and so should be advised to contact their phone operator immediately if this occurs unexpectedly without regaining signal soon after.

While the increased use of two-factor authentication continues to help in the fight against online fraud, companies should be aware of the potential to exploit the frequently-used SMS second factor. Businesses should continue building layered strategies and using technology to identify suspicious account activity and fraud risk to avoid an over-reliance on SMS security codes in customer authentication.

This editorial was first published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018-2019. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About Emma Mohan-Satta

Emma has been working in fraud prevention for the past decade developing knowledge across financial services and ecommerce. After working for American Express, she gained experience with a number of fraud prevention vendors and now looks after fraud risk and strategy for a fintech startup called Capital on Tap.