Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

12/23/2019
07:00 AM
Terry Sweeney
Terry Sweeney
Edge Articles
Connect Directly
Facebook
Twitter
RSS
E-Mail
100%
0%

SIM Swapping Attacks: What They Are & How to Stop Them

Fraudsters with social engineering skills are hijacking cell phone SIM cards to access victims' bitcoin and social media accounts.

Every mobile phone sports a subscriber identity module (SIM) card that contains all sorts of unique information about the phone, the user, and their carrier. The critical element, however, is the subscriber phone number. If you've traveled from the US to Europe or Asia, you may have even done your own swapping out of SIM cards to be able to make calls on GSM cellular networks used just about everywhere outside North America.

That's not the kind of SIM swapping we're talking about.

What Is a SIM Swapping Attack?
By getting a mobile phone carrier to transfer a user's phone number to a fraudster's SIM card, the bad guys can access a variety of riches linked to a victim's mobile phone.

They can compromise multifactor authentication (MFA) methods that use SMS as a second factor by tapping into those SMS authorizations. From there, they can take over victims' accounts, from social media accounts to financial institutions to luxury retailers. (As a result, SMS is getting scrutinized as an element in MFA.)

While the point of SIM swapping often is to shame or humiliate, it has also been used to steal bitcoin.

How SIM Swapping Works
There are two ways to perform a SIM swap, explains Zack Allen, director of threat operations for security vendor ZeroFox.

The first method relies on social engineering of a mobile phone carrier's service rep. The second method works with a rogue employee at a mobile carrier. "There's been some SIM swapping by 'turning' an employee who performs the swap on the fraudster's behalf," Allen says.

Once disconnected from their original carrier, SIM-swap victims will no longer receive carrier-facilitated calls or text messages, notes Tanner Johnson, an analyst covering security for IHS Markit. Instead, all of those communications will be routed to the attacker. Wi-Fi will still function since that's independent of the carrier, but telephony and carrier-provided Internet capabilities will be immediately impacted, he adds.

What's the Impact?
The two most common outcomes of SIM swapping are theft of money (usually cryptocurrency) and control, which can also be monetized, according to Allen.

Most famously, a SIM swapping attack snared Twitter founder Jack Dorsey in August. The attackers remotely seized control of Dorsey's device, subsequently his Twitter profile, and posted embarrassing tweets like a repost of "Nazi germany did nothing wrong."

Further, "We've seen a lot of cryptocurrency figures attacked because of their influence," Allen adds; losses have been reported in the six-figure range and higher. "The scariest thing about SIM swapping is the information you can get once you control someone's accounts. With bitcoin, there's no fraud department to investigate or refund you your money."  

He also points to the scourge of "account takeover communities" that rely on SIM swapping to make money from social media accounts. Groups like Chuckling Squad that took over Dorsey's account target important or influential users, take over their phones, and then resell the access.

So Should We Stop Using MFA?
The advent of SIM swapping has some experts questioning use of MFA and its partial reliance on unique codes delivered via SMS. Authentication, to review, relies on what you know, what you are, and/or what you have. SIM swappers found a weakness within the "what you have" part, according to ZeroFox's Allen.

"What stinks about this is people preferred MFA for authentication," he adds. "I still think MFA is great, but it's preferable to go through an authentication app or use something that's hardware-based." However those authentication methods may not be as fast or as familiar as receiving an SMS with a unique code, which bumps up against an age-old tension in security of usability versus effectiveness.

"Do not stop using MFA!" Markit's Johnson exclaims. "I cannot emphasize this enough."

How Do We Combat SIM Swapping?
Johnson cautions users away from SMS as a method of MFA, and instead to password-generating apps like Google Authenticator, Microsoft Authenticator, and Authy. 

"As these are generated locally and not transmitted via text or email, they are far more robust MFA options," Johnson says. "Additionally, these apps require physical access to the phone, which I hope has a password in place to unlock it to begin with."

Johnson also likes using Google Voice as an antidote to SIM swapping since it creates a phone number tied to your Google account, not your carrier.

"Using this number as your contact for critical services will prevent any MFA text messages from being sent to a SIM-swapped device if the text/call forwarding option is inactive on the account, which is easily adjusted," he explains. Instead, if forwarding is turned off, the messages will only go to a device with the Google Voice app installed, or the corresponding email address. But the settings must be properly configured, he warns.

Customers can also take the extra step of contacting their mobile carriers and requesting additional security features, like verbal passwords, to prevent any changes being made on their account. "I have gone one step further and asked that in addition to this, no SIM-related changes can be made unless they are requested in person at a physical store location, as this will require additional ID," Johnson adds.

Mobile carriers are more aware of the threat posed by SIM swapping and are offering additional security features like verbal passwords to combat it. But mobile carriers need to significantly change their internal processes, according to Johnson. Effectively combatting SIM swapping "will require a concerted training effort to prevent their own customer service reps from falling for social engineering attempts on accounts without additional security hurdles in place," Johnson says.

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
koray_arikan
50%
50%
koray_arikan,
User Rank: Apprentice
12/30/2019 | 7:46:00 AM
Resolving SIM swap attacks
This attack method has almost no use in the financial sector in Turkey because of the integration between the telecom operators and banks for several years. Whenever a SIM change occurs, the user is put on the "recent" SIM change list of the operators. The operators provide this information in the form of a web service to the banks and users are required to undergo a KYC process if they are listed in the "SIM changed" list. An effective solution to this problem. :)
   OVER THE EDGE
Building Cybersecurity Strategies in Sub-Saharan Africa

Filmed for Dark Reading News Desk at Black Hat Virtual.

LAURA TICH: We have that imbalance, where the big organizations are more protected, where the smaller ones -- which are the most common businesses in the region -- they are least protected... Sometimes they do get the tools, they do get the funding to buy some critical tools, but there's a lack of skills to handle or people who understand how to work those tools. So there are a lot of factors that contribute to our growth -- or lack thereof -- in the cybersecurity industry.

 

Name That Toon: Tough Times, Tough Measures
Latest Comment: Wear a mask, please!