Sim-Swapping Attacks

Introduction
At is most basic a Sim-jacking/swapping is an attack in which your phone number is migrated away from your SIM card and/or phone to a different SIM card and/or phone that an attacker controls. The attacker then uses this access to your phone number, usually via text message, to gain access to your other internet accounts. They do this by “recovering” access to an account (e.g., Google) or in conjunction with other information or access they have (e.g., using a previously leaked password + SMS 2FA).

How it works
  1. Finding a target: Laying the groundwork is a crucial part of SIM swapping. First, the attackers find some personal information on potential targets. Anything from bank logins to age, location — even social security numbers — can be found floating around the web. If they need more, they may use a phishing attack to trick users into revealing something crucial.
  2. Tricking (social engineer) tech/customer support: Now that they have a strategy, the hacker will call up your carrier (it’s pretty easy to find out which carrier a number is on), use what they know about you to get through the security questions, and ask them to port the number to a new SIM card. With a bit of social engineering, they can trick the tech support representative into putting a user’s number onto a phone controlled by hackers.
  3. Swapping the SIM: If the attack succeeds, the carrier will give your number and SIM to the attacker, upon which users may (or may not) receive a message informing them that their SIM has been updated or deactivated. They will then be unable to place calls or send texts, at which point most victims will realise something is wrong.
  4. Accessing the Targets Accounts: Once the number is under the attacker’s control, they can use it to gain access to accounts by using its 2FA capabilities or using it to reset your passwords. With your phone number, they often only need to know your email address and possibly a few pieces of personal information to get in.
  5. Taking Over: Once in, attackers will generally change passwords, email addresses, and other information that could enable users to regain control of their accounts. If the hacked account is a bank, cryptocurrency exchange, or other financial institution, they will take the money. This will go on until they’ve gotten what they want or until the user gets their access revoked.


 Attackers Motives for carrying out SIM Jacking
The Short Messaging Service (SMS) was originally developed as an engineering signalling system. It was not designed as a method for transmitting secure messages.
SMS has a number of qualities which make it attractive for business use:
  • ubiquity – the vast majority of mobile phones globally support the SMS protocol making it easy/cheap to develop services
  • familiarity – consumers understand SMS
  • timely – SMS messages generally get delivered, globally, within a few seconds
  • inexpensive – relatively low cost to use
  • reliability – the store and forward nature of SMS means it is often seen as a ‘fire and forget service’
Organisations, particularly Banks, use SMS for the following purposes:
  • to send information to customers
  • to send one-time passcodes to customers
  • to confirm a questionable transaction
It is these qualities which make SIM-Swapping attacks attractive since if they successfully the attacker is likely to gain big payout.
Reducing the Risk

  Recommended measures to prevent becoming a victim:

  • Protect your personal information: Avoid posting personal data online, such as your mobile phone number, address, or other personal information. Bad actors often do significant information gathering before attempting to compromise a target. Do not leave important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver’s license).
  • Protect your financial information: Avoid posting information online about your financial assets (including cryptocurrency), especially on any social media websites and forums.
  • Take precautions with your mobile service provider: Call your mobile service provider and place a PIN on your account; only individuals with the PIN should be able to make any changes on the account. In addition, place a note on the account that mandates any change to the account must be done in-person at a physical location.
  • Use unique passwords: Secure online accounts with unique passwords—preferably passphrases—and do not re-use the same password across each account.
  • Use two-factor authentication apps or physical security keys: Activate two-factor authentication on every online account when possible; preferably using a standalone authentication app such as Google Authenticator instead of SMS. A physical security key is even better.

If you suspect that you may be a victim of SIM swapping, there are several steps to mitigate any harm and report the incident to your relevant local law enforcement:
  • Access your accounts: Attempt to access your online accounts as soon as possible from a secure location or connection and change your password. Email accounts are normally targeted first.
  • Call or visit your bank: Call your financial institutions to place an alert on your accounts for suspicious login attempts. Ideally, have ID on you when you do this and request that the bank opens an incident report and ensure they give you the number of that report or whatever the equivalent is. So if you need to contact them about it in the future you should get the information straight away by telling them incident report number. 
  • Look for unusual activity: Once online accounts have been re-established, view your recent activity to check for any unusual activity. Check for unknown devices associated with the account. Save any indicators of suspicious activity so you can report them to law enforcement.
  • Call your mobile service provider or visit them in-store if able: Report the incident to a physical location for your mobile service provider after your online accounts have been remediated. Attempt to ascertain when the SIM was ported to a new phone and gather the SIM card number and IMEI from the mobile provider. Save any bad actor SIM and mobile phone information to report to law enforcement. Again request an incident report be opened and get the reference number for it. This also means it is harder for the company to fob you off or ignore the incident.
  • Call your law enforcement: Report the incident to your national crime agency and/or your local police service.

 Conclusion

 Hopefully, this post has provided some useful information about sim-swapping attacks. Finally, about the request to banks and mobile service provider for an incident report number. In an ideal world, the staff in charge would open a new case anyway but requesting it and having the confirmation of the number while might seem excessive with the risk of potentially incurring financial loss it is better to be informed than have just verbal reassurances action is being taken. If they refuse  and they say it is not policy to give out incident report number request or demand (but do not get angry or raise your voice) that a manager gives you a letter on company headed paper that action is being taken to resolve the issue and it is signed. While it is an extreme step remember in order to stop the attacker action has to be taken quickly before they can do damage, therefore, requesting evidence that action is being taken helps reassure yourself the potential victim with the knowledge the bank or mobile service provider is taking action on your behalf to stop the sim-swapping attack from being a success.

Also, requesting case number is worthwhile in any situation, if they do not give you one themselves, when dealing with customer support regardless of the situation as it will save you time in the long run if you have a problem and making multiply calls to them as just handing over the case number means you shouldn't have to always state why you are calling them it should be there in there equivalent of an incident report/case.

Sources

 https://medium.com/mycrypto/what-to-do-when-sim-swapping-happens-to-you-1367f296ef4d
https://www.maketecheasier.com/sim-card-hijacking/
https://www.ncsc.gov.uk/guidance/protecting-sms-messages-used-in-critical-business-processes
https://www.fbi.gov/contact-us/field-offices/sanfrancisco/news/press-releases/fbi-san-francisco-warns-the-public-of-the-dangers-of-sim-swapping

Comments

Post a Comment

Popular posts

Balancing functionality, usability and security in design

Image
Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
Read more

Personal Interest - Unbuilt fleets of the Royal Navy

Image
Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
Read more

Personal Interest - RAF Unbuilt Projects

Image
  Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
Read more