SIM swap scam

SIM Swap fraud (also known as Port-Out scam or SIM splitting[1])  is a type of account takeover fraud that generally targets a weakness in two-factor authentication & two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone.

How the fraud works

The fraud centres around exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM. This feature is normally used where a customer has lost or had their phone stolen.

The scam begins with a fraudster gathering details about the victim, either by use of phishing emails, by purchasing them from organised criminals[2], or by directly socially engineering the victim[3].

Once the fraudster has obtained these details they will then contact the victim's mobile telephone provider.  The fraudster will use social engineering techniques to convince the telephone company to port the victim's phone number to the fraudster's SIM. For example, by impersonating the victim and claiming that they have lost their phone.

In some countries, notably India and Nigeria the Fraudster will have to convince the victim to approve the SIM swap by pressing 1[4][5][3].

Once this happens the victim's phone will lose connection to the network and the fraudster will receive all the SMS and voice calls intended for the victim.

This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls sent to the victim; and thus to circumvent any security features of accounts (be they bank accounts, social media accounts etc.) that rely on SMS or telephone calls.

How to protect yourself

  1. It is important to note that sending one time passwords via SMS or telephone calls can be secured against SIM swap fraud if the company who sends them, checks to see if the recipient's phone has been SIM swapped immediately prior to sending the SMS or placing the call. If one of your accounts use one-time passwords sent via SMS or voice call contact the company and ask if they make appropriate checks before sending SMS or voice calls.
  2. Put a pin or password on your mobile account.  All major US carriers allow customers to protect their accounts using either a PIN or a password[6].  It is important to pick a password or PIN you haven't used before.
  3. Practice good digital Hygiene[7][1]:
    1. Ensure that all your devices have adequate firewall/anti-virus protection
    2. Only download programs, apps and information from known and trusted sources. Hackers will attempt to trick you into downloading their phishing software.
    3. Before entering your account details ensure the site is what it says it is. Scammers will create duplicate sites to steal your information.
    4. Keep personal information which may be used to answer security questions off social media (e.g. birth date, name of first pet, name of first school).
    5. Use strong passwords[8]

References

  1. 1 2 admin (2014-05-09). "Alert – how you can be scammed by a method called SIM Splitting". Action Fraud. Retrieved 2018-08-22.
  2. Tims, Anna (2015-09-26). "'Sim swap' gives fraudsters access-all-areas via your mobile phone". the Guardian. Retrieved 2018-08-22.
  3. 1 2 "Many Bengalureans lose cash to sim card swap fraud - Times of India". The Times of India. Retrieved 2018-08-22.
  4. "Experts Finger Insiders in Telcos for Rising SIM Swap Fraud – Nigerian CommunicationWeek". nigeriacommunicationsweek.com.ng. Retrieved 2018-08-22.
  5. "You will be requested to press 1 or authenticate this Swap | Gadgets Now". Gadget Now. Retrieved 2018-08-22.
  6. "How to Protect Yourself Against a SIM Swap Attack". WIRED. Retrieved 2018-08-22.
  7. "How to avoid SIM Swap Frauds - Quora". www.quora.com. Retrieved 2018-08-22.
  8. "Strong passwords | Cyber Aware". www.cyberaware.gov.uk. Retrieved 2018-08-22.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.