1st September 2020
SIM Swap Fraud; and why it is a big risk to mariners! (7)
Let me share with you how I develop these posts. To start with—I am no expert on SIM Fraud. I am quite familiar with many other cybersecurity risks, but I knew very little about this one.
So, I research to learn about the topic, and bring together information from several sources that I hope will be useful to you. In this case it was also quite useful to me. As I read about this growing menace, I found that I had left gaping holes in my own security.
While writing the article, I made changes to settings in my personal email, my WhatsApp account, and on my phone. I found that I was exposed to some serious risks, including that my SIM could get swapped, without my making any mistakes, and would not even know it. My bet is some of you are at risk too. The risk is even higher for mariners because of the amount of time spent outside mobile phone coverage. So, let’s dig into what this SIM Swap Fraud issue is, and how we can protect ourselves.
What is the Problem?
If you use your cell phone to check email, pay bills, or post to social media, you’re not alone. Imagine that your cell phone suddenly stops working: no data, no text messages, no phone calls. You might then get an unexpected notification from your cellular provider that your SIM card has been activated on a new device. What’s going on? These are signs that a scammer has pulled a SIM card swap to hijack your cell phone number.
Scammers are constantly searching for new victims, all they need is a little personal information and they will use targeted phishing emails or SMS messages on topics you care about to obtain the information they need to get your SIM. Once they have it, they will take control of your phone number and then access your online accounts.
In January, a published study revealed how incredibly easy it is to do, potentially leading to thousands of dollars in fraud. That is your money on the line. The practice of SIM swapping is becoming increasingly common, and despite carriers putting safeguards in place, researchers were able to demonstrate taking over your phone number quickly and with ease.
The SIM card inside your phone is a small plastic chip that tells your device which cellular network to connect to, and which phone number to use. We rarely ever think about SIM cards, except maybe when we get a new phone.
SIM swapping occurs when someone contacts your wireless carrier and can convince the call center employee that they are, in fact, you, using your personal data.
Once your phone number is assigned to a new card, all your incoming calls and text messages will be routed to whatever phone the new SIM card is in.
At first glance, it seems somewhat harmless. But when you consider that most of us have our phone numbers linked to our bank, email and social media accounts, you quickly begin to see how easy it would be for someone with access to your phone number to take over your entire online presence.
Attacks like these are now widespread, with cybercriminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS but also to cause financial damage to victims.
If someone steals your phone number, you’ll face a lot of problems, especially because most of our modern two-factor authentication (2FA) systems are based on SMSs that can be intercepted using this technique. Criminals can hijack your accounts one by one by having a password reset sent to your phone. They can trick automated systems – like your bank – into thinking they’re you when they call customer service. And worse, they can use your hijacked number to break into your work email and documents. And these attacks are possible because our financial life revolves around mobile apps that we use to send money, pay bills, etc.
How do the scammers work?
So how do scammers pull off a SIM card swap like this? They may call your cell phone service provider and say your phone was lost or damaged. Then they ask the provider to activate a new SIM card connected to your phone number on a new phone — a phone they own. If your provider believes the bogus story and activates the new SIM card, the scammer — not you — will get all your text messages, calls, and data on the new phone.
The scammer — who now has control of your number — could open new cellular accounts in your name or buy new phones using your information.
Or they could log in to your accounts that use text messages as a form of multi-factor authentication. How? Because they’ll get a text message with the verification code they need to log in.
Multi-factor authentication (MFA) can go beyond 2FA, providing extra account protection by requiring two or more credentials to log in. Besides your password, you’ll need a second credential to verify your identity. That could be something you have — like a passcode you get via text message, a security key, or an authentication app. Or something you are — like a scan of your fingerprint, your retina, or your face.
Even cyber-aware people get SIM Swapped!
Here is a true case where a security expert who writes for a major publication, fell victim to a SIM swap scam last year, and he’s still experiencing the repercussions of the fallout. Whoever took over his phone number gained access to his Gmail account, and promptly changed his password, then erased every email, deleted every file in his Google Drive account, and eventually deleted his Gmail account altogether.
This unlucky fellow later discovered he was targeted because he had a Coinbase account and his bank account was linked to it. His phone received his Coinbase account’s two-factor authentication codes, so the hackers were able to log into his cryptocurrency trading account and buy $25,000 worth of Bitcoin. He had to call his bank and report the transaction as fraud. That’s on top of the immense vulnerability he felt.
Sometime the cybercriminals are very well-organized, going after the carriers first
We have found that some of the processes used by mobile operators are weak and leave customers open to SIM swap attacks. For example, in some markets to validate your identity the operator may ask for some basic information such as full name, date of birth, the amount of the last top-up voucher, the last five numbers called, etc. Fraudsters can find some of this information on social media or by using apps such as TrueCaller to get the caller name based on the number. With a bit of social engineering they also try to guess the voucher amount based on what’s more popular in the local market. And what about the last five calls? One technique used by the fraudsters is to plant a few ‘missed calls’ or to send an SMS message to the victim’s number as bait so that they call back.
Another big problem is insiders, with some cybercriminals recruiting corrupt employees, paying them $10 to $15 per SIM card activated. The worst attacks occur when a fraudster sends a phishing email that aims to steal a carrier’s system credentials. Ironically, most of these systems don’t use two-factor authentication. Sometimes the goal of such emails is to install malware on the carrier’s network – all a fraudster needs is just one credential, even from a small branch from a small city, to give them access to the carrier’s system.
Another case of organized cybercriminals comes from Brazil and involves WhatsApp.
WhatsApp is the most popular instant messenger in many countries. When the app is used by Brazilian fraudsters to steal money, the attack is known as ‘WhatsApp cloning’. After a SIM swap, the first thing the criminal does is to load WhatsApp and all the victim’s chats and contacts. Then they begin messaging the contacts in the victim’s name, citing an emergency, and asking for money. In some cases, they feign a kidnapping situation, asking for an urgent payment – and some of the contacts will send money.
Brazilian TV has reported on several such cases, with one family losing US$3,000. Some of the attacks targeted companies, with executives supposedly contacting their financial departments asking for funds, when in fact it was fraudsters using WhatsApp accounts hijacked in a SIM swap. It’s like a BEC (Business E-mail Compromise) but using your WhatsApp account.
Extortion attacks via WhatsApp start with a SIM swap
How to Protect Ourselves?
Here are ten tips on what you can do to protect yourself from a SIM card swap attack:
- Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit, or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
- Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts.
- Set your phone to lock when you’re not using it and create a PIN or passcode to unlock it. Use at least a 6-digit passcode. You may also be able to unlock your phone with your fingerprint, your retina, or your face. Also set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
- Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. Use an authentication app like Google Authenticator, which gives you two-factor authentication but ties to your physical device rather than your phone number.
- Update Your Software – Enable auto updates for your operating system. These updates often include critical patches and protections against security threats. Make sure your apps also auto-update.
- Back up Your Data – Back up the data on your phone regularly. That way, if you lose your phone, you’ll still have access to your personal information.
- Get Help Finding a Lost Phone – Mobile operating systems have programs that help you find your phone if you lose it. They also let you lock or erase all the data on your phone in case you think someone stole it.
- IDs: Don’t build your security and identity authentication solely around your phone number. This includes text messaging (SMS), which is not encrypted.
- Activate the MFA in WhatsApp – To avoid WhatsApp hijacking, it’s of paramount importance to activate Two-Step Verification using a six-digit PIN on your device. You will find this in WhatsApp under Settings – Account. In the event of hijacking, you’ll have another layer of security that is not so easy to bypass.
- Request your number be unlisted from TrueCaller and similar apps – TrueCaller is a crowdsourced phone book. It allows people to be identified through their mobile number. However, as we mentioned before, fraudsters use this tool to find out more information about you. You can, and should, request that your number is unlisted from this global phone book.
How to Detect if your SIM has been Swapped?
It can be challenging to stay ahead of SIM swap scams. It’s important to recognize warning signs, so you can shut down the fraudsters’ access as quickly as possible.
Here are three signals you may be a victim of SIM swapping.
- You’re unable to place calls or texts. The first big sign that you could be a victim of SIM swapping is when your phone calls and text messages aren’t going through. This may mean fraudsters have deactivated your SIM and are using your phone number.
- You’re notified of activity elsewhere. You’ll know you’re a victim if your phone provider notifies you that your SIM card or phone number has been activated on another device.
- You’re unable to access accounts. If your login credentials no longer work for accounts like your bank and credit card accounts, you likely have been taken over. Contact your bank and other organizations immediately.
In case you experience any of these symptoms, contact your carrier right away, and be sure to be able to authenticate who you are, because someone else may have called them shortly before claiming to be you!
As with so many problems, the mariner is at additional risk due to the amount of time we are disconnected from our phones. The added problem in this case is that the SIM Swap Fraud may go unnoticed until you get into the next port and find it hard to get a connection working. All the more reason to take every precaution listed above, and by doing this you can minimize the impact when the SIM Fraud criminals come calling.
Mike McNally, Global Commercial Director