Cyber Attackers Are Using SIM Card Scams to Steal Money and Information
The first ever SIM card was developed some 29 years ago, in 1991. Right now, there's a good chance that there is at least one SIM card very near you, and although you rarely give it much thought, life without this small silicon chip embedded in a piece of plastic would be very different. When it comes to wireless communication, SIM cards are indispensable, and for the last few years, they've also been helping us connect to the internet on the go. We won't even mention the armies of SIM-enabled Internet-of-Things gadgets that are becoming more and more common. The impact SIM cards have on our everyday lives is pretty substantial, but it could be even more significant if scammers decide to abuse them.
SIM swapping in action
British financial website ThisIsMoney.co.uk recently published the story of Ryan Finnegan – a 37-year-old Scotsman who saw his bank account drained after a SIM swapping attack. We've discussed SIM swapping in the past, and Ryan Finnegan's story showcases just how ruthlessly effective this technique can be.
It all started when Mr. Finnegan received a text message from Tesco Mobile, his mobile communication service provider, thanking him for getting in touch with the telco's customer service department. The thing was, he hadn't actually contacted any customer service people. He called Tesco Mobile who told him that something suspicious might indeed be going on, but since there was nothing visibly wrong with his account, there was no need to worry.
The "don't sweat it" advice was bad. Shortly after, he received another text message, this time from TSB, his bank. It was confirming his online banking registration which was odd considering the fact that he had previously opted out of using the online banking system. Before he could react, the scammers had siphoned £2,500 from Mr. Finnegan's bank account.
Telcos and their role in SIM swapping
We've talked in the past about how most cyberattacks rely on simple social engineering rather than uber-sophisticated hackers and zero-day exploits. When criminals decide to play mind tricks, however, they more often than not turn directly to the victim. With SIM swapping, they use their social engineering skills on the customer service departments of the telecommunications companies.
A SIM swapper's job is to convince the service provider to transfer the victim's number to another SIM card. As you can see from Mr. Finnegan's case, this lets them impersonate the target and do all sorts of damage, including bypassing two-factor authentication and stealing money.
In the past, transferring a phone number to a new SIM card meant going into the telco's office and providing some form of ID. For the sake of convenience, telecommunications companies now let you do it over the phone, even if the number you're calling from isn't the one you're trying to move.
During their investigation, ThisIsMoney.co.uk asked some of UK's major mobile service providers about the procedures when a number is transferred over the phone. Tesco Mobile preferred not to comment, but the report suggests that it revolves around a security question. In the case of Mr. Finnegan, the question was "What's your favorite color?" apparently, and the SIM swappers made five consecutive calls to the customer service department before they correctly guessed the answer. Despite this, Tesco Mobile failed to spot anything suspicious.
The rest of the service providers did respond to ThisIsMoney.co.uk, and most of them revealed that they too rely on security questions. The flaws of this particular authentication mechanism have been discussed at some considerable length. Indeed, most telcos require additional information before allowing the number transfer, but even so, in the age of social networks, the mere presence of security question as a means of verifying a user's identity is not acceptable.
What can users do about SIM swapping?
Ryan Finnegan ended up getting his money back which is the good news, but it's fair to say that many others like him won't be as lucky. In any case, preventing an attack is less stressful than trying to recover from it. So, what can you do?
As always, the first step is to get to know the threat and to realize that it's very real indeed. It's easy to think that the scammers won't bother with Joe Average, but Action Fraud, a British cybercrime reporting service, recorded nearly 550 successful SIM swapping attacks in the span of three years which goes to show that the "it won't happen to me" mentality is not going to do you any favors.
Learn how your telecommunications provider handles phone number transfers and consider what you can do to make the most of the mechanisms that are forced upon you. Sometimes, you can't escape security questions, but you can make them a bit more useful at protecting your data. Scammers are unlikely to guess, for example, that the name of your dog is "Dihydrogen monoxide".
Last but not least, be on the lookout for anything suspicious, and if you spot something wrong, don't waste any time reporting it to the responsible vendors.