Sim-Swapping Attacks

Introduction


At is most basic a Sim-jacking/swapping is an attack in which your phone number is migrated away from your SIM card and/or phone to a different SIM card and/or phone that an attacker controls. The attacker then uses this access to your phone number, usually via text message, to gain access to your other internet accounts. They do this by “recovering” access to an account (e.g., Google) or in conjunction with other information or access they have (e.g., using a previously leaked password + SMS 2FA).

How it works


  1. Finding a target: Laying the groundwork is a crucial part of SIM swapping. First, the attackers find some personal information on potential targets. Anything from bank logins to age, location — even social security numbers — can be found floating around the web. If they need more, they may use a phishing attack to trick users into revealing something crucial.
  2. Tricking (social engineer) tech/customer support: Now that they have a strategy, the hacker will call up your carrier (it’s pretty easy to find out which carrier a number is on), use what they know about you to get through the security questions, and ask them to port the number to a new SIM card. With a bit of social engineering, they can trick the tech support representative into putting a user’s number onto a phone controlled by hackers.
  3. Swapping the SIM: If the attack succeeds, the carrier will give your number and SIM to the attacker, upon which users may (or may not) receive a message informing them that their SIM has been updated or deactivated. They will then be unable to place calls or send texts, at which point most victims will realise something is wrong.
  4. Accessing the Targets Accounts: Once the number is under the attacker’s control, they can use it to gain access to accounts by using its 2FA capabilities or using it to reset your passwords. With your phone number, they often only need to know your email address and possibly a few pieces of personal information to get in.
  5. Taking Over: Once in, attackers will generally change passwords, email addresses, and other information that could enable users to regain control of their accounts. If the hacked account is a bank, cryptocurrency exchange, or other financial institution, they will take the money. This will go on until they’ve gotten what they want or until the user gets their access revoked.


Attackers Motives for carrying out SIM Jacking


The Short Messaging Service (SMS) was originally developed as an engineering signalling system. It was not designed as a method for transmitting secure messages.
SMS has a number of qualities which make it attractive for business use:
  • ubiquity – the vast majority of mobile phones globally support the SMS protocol making it easy/cheap to develop services
  • familiarity – consumers understand SMS
  • timely – SMS messages generally get delivered, globally, within a few seconds
  • inexpensive – relatively low cost to use
  • reliability – the store and forward nature of SMS means it is often seen as a ‘fire and forget service’
Organisations, particularly Banks, use SMS for the following purposes:
  • to send information to customers
  • to send one-time passcodes to customers
  • to confirm a questionable transaction
It is these qualities which make SIM-Swapping attacks attractive since if they successfully the attacker is likely to gain big payout.


Reducing the Risk

 Recommended measures to prevent becoming a victim:

  • Protect your personal information: Avoid posting personal data online, such as your mobile phone number, address, or other personal information. Bad actors often do significant information gathering before attempting to compromise a target. Do not leave important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver’s license).
  • Protect your financial information: Avoid posting information online about your financial assets (including cryptocurrency), especially on any social media websites and forums.
  • Take precautions with your mobile service provider: Call your mobile service provider and place a PIN on your account; only individuals with the PIN should be able to make any changes on the account. In addition, place a note on the account that mandates any change to the account must be done in-person at a physical location.
  • Use unique passwords: Secure online accounts with unique passwords—preferably passphrases—and do not re-use the same password across each account.
  • Use two-factor authentication apps or physical security keys: Activate two-factor authentication on every online account when possible; preferably using a standalone authentication app such as Google Authenticator instead of SMS. A physical security key is even better.

If you suspect that you may be a victim of SIM swapping, there are several steps to mitigate any harm and report the incident to your relevant local law enforcement:
  • Access your accounts: Attempt to access your online accounts as soon as possible from a secure location or connection and change your password. Email accounts are normally targeted first.
  • Call or visit your bank: Call your financial institutions to place an alert on your accounts for suspicious login attempts. Ideally, have ID on you when you do this and request that the bank opens an incident report and ensure they give you the number of that report or whatever the equivalent is. So if you need to contact them about it in the future you should get the information straight away by telling them incident report number. 
  • Look for unusual activity: Once online accounts have been re-established, view your recent activity to check for any unusual activity. Check for unknown devices associated with the account. Save any indicators of suspicious activity so you can report them to law enforcement.
  • Call your mobile service provider or visit them in-store if able: Report the incident to a physical location for your mobile service provider after your online accounts have been remediated. Attempt to ascertain when the SIM was ported to a new phone and gather the SIM card number and IMEI from the mobile provider. Save any bad actor SIM and mobile phone information to report to law enforcement. Again request an incident report be opened and get the reference number for it. This also means it is harder for the company to fob you off or ignore the incident.
  • Call your law enforcement: Report the incident to your national crime agency and/or your local police service.

Conclusion

Hopefully, this post has provided some useful information about sim-swapping attacks. Finally, about the request to banks and mobile service provider for an incident report number. In an ideal world, the staff in charge would open a new case anyway but requesting it and having the confirmation of the number while might seem excessive with the risk of potentially incurring financial loss it is better to be informed than have just verbal reassurances action is being taken. If they refuse  and they say it is not policy to give out incident report number request or demand (but do not get angry or raise your voice) that a manager gives you a letter on company headed paper that action is being taken to resolve the issue and it is signed. While it is an extreme step remember in order to stop the attacker action has to be taken quickly before they can do damage, therefore, requesting evidence that action is being taken helps reassure yourself the potential victim with the knowledge the bank or mobile service provider is taking action on your behalf to stop the sim-swapping attack from being a success.

Also, requesting case number is worthwhile in any situation, if they do not give you one themselves, when dealing with customer support regardless of the situation as it will save you time in the long run if you have a problem and making multiply calls to them as just handing over the case number means you shouldn't have to always state why you are calling them it should be there in there equivalent of an incident report/case.

Sources

https://medium.com/mycrypto/what-to-do-when-sim-swapping-happens-to-you-1367f296ef4d
https://www.maketecheasier.com/sim-card-hijacking/
https://www.ncsc.gov.uk/guidance/protecting-sms-messages-used-in-critical-business-processes
https://www.fbi.gov/contact-us/field-offices/sanfrancisco/news/press-releases/fbi-san-francisco-warns-the-public-of-the-dangers-of-sim-swapping

Comments

Popular posts

Personal Interest - Unbuilt fleets of the Royal Navy

Personal Interest - RAF Unbuilt Projects

Balancing functionality, usability and security in design