Introduction
Since the advent of mobile telephony and later the uptake of smart phones, the SIM card has taken a leading role in mobile users’ lives and activities. It has become the de facto identity to allow a mobile user access the various services that attach a user identity to a particular SIM. This obviously is very attractive to threat actors interested in accessing the users’ financial details like Bitcoin accounts, banking information and even general Social media account information that can be weaponized to commit other crimes. This has led to the SIM Swapping crime which involves a criminal stealing ones’ mobile identity. Also called SIM splitting, SIM jacking, SIM hijacking or port-out scamming according to Symantec [1].It normally happens when an attacker convinces a Mobile Service provider to change your mobile identity to a number they control. By having your identity they have access to all other accounts controlled by that number. This includes the ability to change passwords using the token based mutli-factor authentication which has become an industry standard in the protection of digital privacy. SIM card swap allows the attacker to access all social media accounts that use the SIM card as its base identity token and can be used to further commit other crimes like defrauding other users who may assume the previous user identity and that you are in need. Other potential reasons for the exchange of Identities on SIMS would be to resell the numbers to other users in case of an inactive number.
Some recent major crimes involving SIM card swaps include the stealing of over 23.8 Million USD from a Crypto currency investor who is now suing the Telecoms Company AT&T for his loss [2]. He sued on 16 charges that range from negligence, invasion of privacy, unauthorised disclosure of confidential customer records, violation of consent decree and failure to supervise its employees and investigate their criminal backgrounds at a US district court in a Los Angeles court. The reported crime occurred after an employee of the ISP accessed the client account and transferred it to an international cyber-crime gang that led to the loss. This was after the Company had promised the said client an impeccable Security that’s resistant to any potential crimes including SIM Swapping.
Last year, the accounts of the Twitter CEO Jack Dorsey were compromised after a SIM card attached to his account was compromised at the ISP and used to access his social media account and post a series of offensive tweets. Luckily the very tweets alerted the followers of the account of an anomaly and it took almost 30 minutes to recovery the account [3]. A crime group known as ‘Chuck Squad’ later admitted to being behind this crime. The methods used to acquire this information include; Password re-use, social engineering of customer service representatives at Telcos, access to online data that may include the phone numbers, databases of Personally Identifiable Information(PIIs) sold in the darknet.
Unfortunately the technology and process of SIM card swapping is not very much in the mobile users’ control beyond what they post online on social media platforms. These effectively take the safety process from the Mobile phone user’s hands according to Flashpoint, a Security research firm [4]. This crime is especially rampant for high net worth individuals and Public figures with massive followings on social media accounts which may also include online wallets like PayPal & Bit coins, Continues Flashpoint.
However, with the emergence of Mobile money across the world and especially the Kenyan based MPESA, this crime has gone down the chain to target in mass scale small scale users in large numbers. So prevalent is this crime that the Communications Authority of Kenya had to put out a press release to warn the members of the public about it and also provided guidance on what to do in case one falls victim to the same [5].
The risks involved
The most prominent reason for this crime is to commit financial fraud through impersonation or identity fraud that enables the threat actor to access the mobile users’ financial details through mobile banking accounts attached to the Swapped SIM, online accounts like PayPal and other digital banks and the SIM banking applications like MPESA. Other risks include reputational loss through access of the social media accounts attached to the compromised SIM card as evidenced with the jacking of the Twitter CEO’s account and posting profane content. In case of a business SIM card compromised, the reputational damage could be disastrous especially if the attackers can use the information attached to the SIM card to further access proprietary information like Intellectual property or business secrets. For Corporates, there is a big risk of legal suits emanating from users’ compromised SIM cards that may lead to fines from regulatory Organizations. A subscriber sued Kenya’s Safaricom after he lost over Kshs 300,000 due to a SIM swap fraud [6].
How it’s done
SIM Swapping involves porting all contents contained in a GSM card to another. This is normally done at a mobile Service provider level to allow a particular number access their mobile network. Criminals hence have to get a way to convince the service provider that a legitimate user has a need to change their number which could be due to loss of a Mobile phone, expiry of a number say due to travel overseas or just a need to transfer details to another number. To do this usually one has to provide some sort of identification or answer some personal questions to confirm identity. These are very easy to access through social engineering or just outright compromise of the Communications service provider assistants to provide access to all the necessary information [7]. After this is successfully done, the Threat actor has access to all online accounts attached to that number and further complicates any individual effort to recover them as most accounts are secured through a 2-factor authentication that includes sending a token to a mobile number which is now under the control of the attacker.
Indicators of compromise
Normally, this process is carried out when the real owner of the mobile identity is least likely to detect. This can include in the night, when the mobile phone number owner is on travel abroad hence no major activity on the line or when a mobile phone has been lost and yet to be reported or recovered. It’s hence important to always have some access to your mobile number to be able to access other indicators of compromise. These include; Inability to make calls, no mobile phone reception at locations that normally got reception, unexpected calls/Texts /emails referring to account password changes, Inability to access your online accounts using your credentials or even unexpected transaction in your mobile money wallets or accounts. Other indicators could be updates on your social media accounts that are not done by a particular mobile account holder.
How to secure yourself
Unfortunately this crime is much to the advantage of the criminals and the mobile user has little to do to protect them as it’s affected at the Service provider level. However as is all criminal activity, the victim can always makes it harder for the criminal to succeed by observing several Cyber security hygiene practices. These include the following;
Do not post/ share personally identifiable information online. These normally provide criminals an easy way to understand the victim and even get information that may be used to recover other attached accounts like if you use your mother’s maiden name as a secret word in your email account recovery process. If possible use alias names in social media to protect your true identity. Do not provide your ID number or mobile phone number to entre a building. Always use complex passwords and do not allow auto-login to your digital accounts. This would make it easy for malware to steal this from your phone and weaponized them for future attacks
Whenever possible use a Multi-factor authentication to access your digital accounts. As already demonstrated, this is not full proof when your mobile identity is already compromised. To secure it though you can add hardware based tokens through services like Google Authenticator or Authy. You can also use a hardware based token to access your digital accounts. This ensures that only you with a physical token can access your digital services so this protects you from account compromise emanating from a compromised SIM card, Embedded SIM cards can also help eliminate the process of fraudulent SIM card replacement [8].
Always update all applications, services that handle your personal data especially financial data. This is because most major applications publish updates to fix identified bugs which a lot of times are communicated publicly hence threat actors have access to the information and hence can easily compromise unpatched applications. This does not protect you from SIM swap fraud but protects you from creating a backdoor to your mobile phone through insecure applications which can be used to collect more data to enable a future SIM Swap.
Other controls can be to divert all operations of an inactive phone number to an accessible line so as to be able to receive messages actively and detect fraudulent indicators like a message to confirm SIM porting to another line. Enable PIN protection of number opt-outs & account management. For Verizon accounts, this can be done as described while T-Mobile; dial 611 from your mobile phone, add Port validation to your account which lets you add a PIN to secure your account. On Sprint, sign into your account, click on My Sprint, then go to Profile and security. Scroll to Security information, and update your PIN there [9].
Technology Companies / Service providers
Whereas this particular crime is carried out at the Service provider level either through fraudulent requests to replace a SIM card or compromise of the Support staff, major telecoms companies have tried to deploy technologies that could help protect the user by alerting them to fraudulent attempts to port their SIM cards like Safaricom [10], These are still easily compromisable by simply deploying an ATP to detect that confirmation message and automate a favorable response to continue with the fraudulent SIM swapping. A viable option may include an AI-based fraud detection system that would be able to automatically detect anomalies in attempts to replace fraudulent SIM card swapping and actively engage the mobile identity holder beyond some reasonable doubt before swapping identity. This would eliminate or minimize the role played by human customer support that are the weakest link in this crime.
Regulatory Authorities
Regulatory authorities must increase their oversight of Telecommunications service providers to ensure their right of care to their mobile subscribers to reduce the risks of SIM card swapping. Through data privacy regulations and related regulations like the GDPR in Europe , DPA 2018 in Kenya, Service providers must be forced to provide their subscribers with information on any attempt to access their private data and a report on the control measures taken to prevent a future risk of the same. “Section 609(e) of the Fair Credit Reporting Act requires that companies provide business records related to identity theft to victims within 30 days of receiving a written request.” Flashpoint research states.
References.
1. Norton. Mobile SIM card swap fraud. Accessed from: https://us.norton.com/internetsecurity-mobile-sim-swap-fraud.html Accessed on 07/06/2021.
2. Global News Wire. Accessed from: http://www.globenewswire.com/news-release/2018/08/15/1552594/0/en/Cryptocurrency-Entrepreneur-and-Investor-Michael-Terpin-Sues-Too-Big-to-Care-AT-T-for-Permitting-23-8-Million-Theft-in-SIM-Swap-Scam-by-Authorized-Agent.html. Accessed on 07/06/2021.
3. BBC, Mobile SIM swaps technology. Accessed from: https://www.bbc.com/news/technology-49532244. Accessed on 07/06/2021
4. Flashpoint Research. SIM swap fraud account takeover. Accessed from: https://www.flashpoint-intel.com/blog/sim-swap-fraud-account-takeover/. 07/06/2021.
5. Directorate of Criminal Investigations, Kenya. Accessed from: https://twitter.com/DCI_Kenya/status/1020223897898274816?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1020238947211988992%7Ctwgr%5E%7Ctwcon%5Es2_&ref_url=https%3A%2F%2Fwww.bbc.com%2Fnews%2Fworld-africa-44899854. Accessed on 07/06/2021.
6. Business daily Africa. Accessed from: https://www.businessdailyafrica.com/bd/news/doctor-sues-safaricom-over-sh300-000-sim-card-fraud-2294944. Accessed from 07/06/2021.
7. Krebs Security. Accessed from: https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/. Accessed from 07/06/2021.
8. Huawei support. Accessed from : https://consumer.huawei.com/ke/support/content/en-us00880294/. Accessed from 07/06/2021.
9. Verizon Wireless. Accessed from : https://login.verizonwireless.com/vzauth/UI/Login?realm=vzw&goto=https%3A%2F%2Fmyvpostpay.verizonwireless.com%3A443%2Fvzw%2F. Accessed from 07/06/2021.
10. The Kenyan Wall Street. Accessed from: https://kenyanwallstreet.com/safaricom-tackles-fraud-in-latest-mpesa-update/. Accessed from 07/06/2021.