In March 2020, Europol announced that it had arrested more than two dozen people suspected of draining bank accounts by hijacking victims’ phone numbers via SIM-swap fraud. The cross-border investigation lasted eight months with a collaboration between the Romanian National Police (Poliția Română) and the Austrian Criminal Intelligence Service (Bundeskriminalamt), with the support of Europol, leading to the arrest of 14 members of a crime gang who emptied bank accounts in Austria by gaining control over their victims’ phone numbers.
The modus operandi was simple. Once having gained control over a victim’s phone number, the criminals would then use stolen banking credentials to log onto a mobile banking application to generate a withdrawal transaction, which they then validated with a one-time password sent by the bank via SMS, allowing them to withdraw money at cardless ATMs. It is estimated that this gang managed to steal over half a million pounds from unsuspecting bank account owners.
This case, alongside another Europol investigation in January 2020 where suspects across Spain believed to be part of a hacking ring that stole over £3 million in a series of SIM-swapping attacks, has highlighted the growing frequency of this latest attack vector.
As SIM swapping requires substantial effort and costs from attackers, we are seeing high net worth individuals and people in positions of corporate, government, or social influence increasingly being targeted.
Understanding the cyber-criminals’ attack method
So, what is the likely attack formula and how do you know if you have been attacked? Attacks normally utilize blackmailing, bribing, or socially engineering a cell phone service provider employee to leverage their access to customer information or the mobile network itself.
Another method is constructing a profile of the target that contains sufficient PII (personally identifiable information) to falsely authenticate themselves to the target’s cell phone carrier. This can be achieved through service provider data breaches or by compiling PII data breaches.
The signs of attack are that affected phones simply cannot make calls, they have no reception, and potentially have no access to emergency services. Furthermore, the attackers take over online accounts belonging to the subscriber. Unexpected text messages or e-mails referring to password resets, account logins, or phone number changes may occur before a successful takeover.
Mitigating SIM-swapping attacks
The alarming aspect about any SIM-swapping attack is that the victim usually hasn’t done anything that they shouldn’t, so in that respect it is hard to be extra vigilant. They haven’t clicked on a link in a phishing email and they haven’t gone to a fake site, their phone has simply stopped working.
The problem has probably arisen because an employee at the cell phone carrier was fooled by the attacker into reissuing the SIM, which was then used to take over the number.
That said, there are ways to avoid such attacks. It is important for individuals to establish a PIN code for their mobile carrier account. This can add a protective boundary for attacks that have targeted their PII. Unfortunately, this does not protect against attacks conducted with the assistance of malicious insiders.
Another option is prioritizing authentication applications over SMS-based two-factor authentication. Apps such as Google’s Authenticator, Okta, or Authy can be associated with a physical device, not just a phone number.
A benefit - besides not having an SMS message hijacked - is that the individual will have all the codes in a central location and that they are available all the time, even when the phone is offline.
Other ways also include using a physical authentication key for critical accounts and ensuring vigilance, as major service disruption such as failed message delivery should be addressed urgently by reporting the situation to your service provider, monitoring passwords of online accounts and checking bank account transactions.
With SIM-swap cases already rising and additionally cases of criminal activity being linked to the COVID-19 pandemic it is important to highlight that SIM-swapping is a key reason why a phone number may not be the best verifier of a person’s identity as it represents a hole in the authenticator process. Adding additional layers of protection could help keep individual accounts and identity safe from these criminals.