What is SIM-Swap?
SIM-Swap fraud, also known as SIM Jacking or SIM swapping, is an invasive and insidious form of fraud attack that involves a fraudster porting a telephone number to a different device that they control. The method is on the rise across the globe – the UK has reported a 300% increase in this fraud Year-on-Year while the FBI highlighted SIM-Swap fraud as one of the most devastating cybercrimes of 2019 .
How it works?
A SIM-Swap occurs when a fraudster sets out to get some private information on their victim through various phishing attacks often called social engineering. Once the information is obtained, the attacker fraudulently convinces the victim’s mobile phone carrier to change the mobile number to a different SIM card under the pretence as having lost their phone. The fraudster answers the security questions asked by the carrier’s agent using phished information – the carrier transfers the number to the requested SIM card allowing the fraudster to have complete control over their victim’s number – hence the “swap”.
Once the victim’s number is operational on the fraudster’s SIM, they can begin resetting passwords and gaining access to online accounts that receive SMS messages or automated voice calls for authentication purposes. This then opens the possibility for fraudsters to gain access to bank accounts, messaging history and social media accounts. A victim may only realise something is wrong when they notice they have lost mobile network service on their handset. By the time they contact the mobile operator, the fraudster has had plenty of time to drain bank accounts, hack social media platforms or collect the information they need to blackmail the victim.
Who it effects?
One of the most notable SIM-Swap cases was the $224 million lawsuit filed against AT&T by Michael Terpin who lost close to $24 million in cryptocurrency through a SIM-Swap fraud attack. Twitter’s own CEO, Jack Dorsey, also fell victim to the attack. Jack Monroe, British food writer, lost £5,000 to the fraud. Fraudsters are not only targeting millionaires, executives and celebrities. One man lost his life savings to the attack when fraudsters SIM-Swapped his phone and emptied his retirement account. A nurse was scammed of tens of thousands of dollars. Two tourists were left stuck with no access to funds while travelling South America after having their bank accounts drained.
The advent of 5G will place SIM cards even more so at the heart of our personal and professional lives. Industry 4.0, the fourth industrial revolution, will see manufacturing plants controlled by mobile devices through IoT (Internet of Things). Supply chains and corporate IPs will be ever more exposed to threats. Our fridges, doorbells and home devices will have a common point: our phones. The SIM attacks will continue to innovate and have a graver impact as the fraud evolves along with technology.
How to protect against it?
Every SIM card has a unique number, known as an International Mobile Subscriber Identity (IMSI). Just like car registration plates identify vehicles on the road, IMSIs help mobile carriers identify a SIM on their network. When a fraudster ports their victim’s mobile number onto a device in their possession, the serial number, the IMSI, also changes. Solutions such as Sentry SIM SWAP by PVN detect these changes and in turn notify the third party to recommend they withhold sending secure information to the mobile.