What is a SIM Swap attack? [Why fast detection is important]
SIM swap is a type of fraud in which a fraudster takes over a user's account by fraudulently managing to get a user’s phone number transferred to the fraudster’s SIM card and ultimately, his smartphone. According to a Princeton University survey, about 80% of SIM swap fraud attempts are successful. Meanwhile, another survey in the UK shows that the number of SIM swap attacks reported skyrocketed by 400% between 2015 and 2020.
The figures make it clear that criminals are already well trained in how to SIM swap. Therefore, it is important that the authentication industry is also prepared for these threats by implementing new practices and more secure authentication methods.
What is a SIM card?
SIM cards are small cards stored within a smartphone that contains subscriber information and which are removable and transferable to other phones. When a user gets a new smartphone they will typically transfer the card to their new phone to transfer the mobile number and contacts information.
How SIM swap fraud works
A SIM swap attack combines social engineering tactics to allow a criminal to transfer a phone number from a SIM card, usually from the legitimate owner of a phone number, to the fraudster’s SIM Card. This represents the gateway to account takeover, allowing the attacker to change passwords, perform financial transactions, and post to the victim's social networks.
The first stage of a SIM swap fraud is information gathering. To do this, criminals rely on phishing attempts, smishing, or even a simple search on social networks to gather data such as the victim's full name and ID number.
With this information in hand, the fraudsters manage to impersonate the victim by contacting the mobile network operator to request that the SIM card be activated on another device. Criminals may claim that the previous SIM card was lost, stolen, or damaged in order to convince the operator that it is a legitimate request from a mobile company customer.
Once the SIM card is activated on the fraudster's device, they are able to take advantage of multi-factor authentication methods to take over the user’s accounts. By using the password reset function, fraudsters are able to get one-time passwords delivered via OTP over SMS sent to the fraudster’s mobile device. It is important to note that SIM Swapping turns one-time passwords (OTP) over SMS into a particularly fragile, not to say a dangerous type of multi-factor authentication method since it is used as the main vector for the attacker to take over the account.
5 ways to detect and prevent SIM swap attacks
There are some signs that can help the victim in detecting a SIM swap even before the perpetrator contacts the mobile operator. Considering how the attack is executed, it is important to keep an eye out for the following activities:
1. Suspicious email or text messages
Messages or calls asking for personal information or including a link may be an attempt at phishing the fraudster to collect the potential victim's data before launching the SIM swap attack.2. Constant calls and text messages
To prevent the victim from realizing that they have been targeted with a SIM swap attack, many criminals use the tactic of disturbing the person as much as possible with calls and messages to get them to turn off their device.3. Inability to make calls or send messages
One of the first signs that a successful SIM swap attack has been carried out is when the SIM card no longer works in the victim's device. Therefore, the victim is no longer able to make calls or send messages.4. Notifications of suspicious activity
In some cases, the victim may receive an email notification from the mobile operator itself confirming the SIM card activation process on another device. Alternatively, a company may also send an alert if it identifies unusual activity on the customer's account.5. Denied access to accounts and applications
If a user is unexpectedly logged out of their accounts, there is a good chance their phone number is being used by a different SIM card. It may be too late, but if the user acts fast, the damage could be lower.
Companies can also adopt techniques to prevent accounts from being taken over by fraudsters that have just performed a SIM swap attack. The first, most important step would be to stop using OTP over SMS as a form of authentication and adopt behavior as an authentication method. OTP over SMS sends passwords to the user’s phone number. In the case of a SIM swap attack, the passwords are being sent to the fraudster’s phone number. It is also possible to create scores that analyze the risk of an activity being fraudulent. This is done by analyzing factors such as location patterns and other behavioral elements that help determine risk scores.
How to prevent SIM swaps and what to do after being a victim of a SIM Swap attack
To prevent criminals from having the resources necessary to initiate a SIM swap, the first preventive measure is to limit access to information. This means that victims should be on the lookout for phishing attempts and be cautious when posting on social media.
The Federal Trade Commission (FTC) also advises users to set a PIN or password on the SIM card to prevent changes from being made without the consent of the phone number holder. For businesses with accounts that contain highly sensitive information, such as any financial service account, it is highly recommended to opt for multiple and stronger forms of authentication that do not rely on a verification passcode sent via SMS.
The best way to protect customers against these attacks is to adopt strategies that do not require an authentication associated with the actual phone number. OTP over SMS is particularly vulnerable, given that one-time passwords are now sent to the fraudster's phone versus the legitimate user. In these cases, behavioral pattern-based approaches, for example, offer a much higher degree of security.
If the victim realizes that he or she has been the target of a SIM swap attack, the first step is to contact the mobile operator immediately to regain access to the phone number and thus change the passwords for all accounts. It will also be necessary to check with other companies and financial institutions whether any unauthorized activity has been performed by a potential third party so that these actions can be blocked or reversed.