SIM Card Identity Theft

By Robert Townsend on October 12, 2018

Background-

What is a SIM card identity theft? Basically, it is the stealing of your mobile identity. This fairly new way of identity theft/fraud is appearing everywhere. The list of attacks to watch out for in the cyber-security world is becoming more prominent and this subject deserves a spot near the top. The SIM swap is an exploit that hackers have been using to gain access to: credit card accounts, bank accounts, and even crypto-currency accounts.

Examples of real-life implementations- 

Emma Mohan-Satta, a fraud consultant at Kaspersky Labs, says “A high proportion of banking customers now have mobile phone numbers linked with their accounts, and so this attack is becoming common in some regions where this attack was not previously so common,” Mohan-Satta said. “Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through successful social engineering.”  (digitaltrends.com)

Recently, T-Mobile’s website contained a bug that allowed anyone to access a person’s account information. The subdomain promotool.t-mobile.com, which employees would use to quickly pull up customer account information, only required a phone number to access. There was no password protecting this website. The information that was given included: full name, address, account number, and if accounts are past-due or suspended (zdnet.com). T-Mobile has fixed this bug, but not before people were taken advantage of:

“This just happened to me over the weekend. I lost service late Saturday night and assumed it was an issue with my always buggy iPhone. Then on Sunday morning my husband got a text from T-Mobile saying that a line on our phone plan had been cancelled (mine) and I soon discovered that $1200 had wired out of my bank account to someone in [redacted] with my same last name” (motherboard.vice.com).

How it is implemented-

There are different ways of implementing this scam but most often it starts the same way. First, information is collected through reconnaissance. A phishing email can be sent to steal the victim’s personal information, which will be used when contacting mobile carrier. Next, the criminal calls the victim’s mobile carrier and convinces the carrier’s representative to switch over the victim’s phone number to the blank SIM card in hand. This is normally done by answering questions about the person: the last four digits of the victim’s social security number and/or zip code. Another option is the criminal could go into one of the retail stores and pose as the victim. By having access to the phone number, the hacker can receive an OTP (one-time password) via SMS from, for example, a bank account (credentials from phishing or reset password) (www.iol.co.za). Some hackers would then create a second bank account using the same bank the victim had an account for and then do money transfers to themselves. (digitaltrends.com) By having access to the victims current phone number, the hacker is able to complete two-factor authentication checks easily. Some other ways of exploitation would be to use the phone number to recover passwords. Most of the time this would be similar to a spear phishing attack; you would only target people of high monetary value due to the required sophistication and reconnaissance of the attack.

Some high level hackers are capable of paying off phone carrier representatives to allow easy transferring of SIM card data. Flashpoint, a business risk assessment company, has found that some SIM hackers hire retail workers at certain carrier stores to gain access to mobile accounts and allow easy SIM swaps. Nixon from Flashpoint said, “Phone numbers were never intended to be a way to confirm someone’s identity. Phone companies were never in the business to sell identity documents. It was imposed on them.”

Step in SIM SWAP fraud

(Fig 1- Source: www.basunivesh.com)

Ways to prevent a SIM hijack-

It can be tough to prevent SIM attacks but there are certain steps you can take to help mitigate exploitation of your mobile identity.

  1. Contact mobile carrier as soon as you witness drop of service.
  2. Create a PIN on your account. Most carriers give you this option when you contact customer service. If you use ATT, you can do this through the ATT website under “wireless passcode”. (wired.com) This can help by adding another layer of security, though, if it is an insider job it may not help.
  3. Switch your two-factor authentication from SMS text to an authentication app. An example would be Google Authenticator. Apps like this tie the app to the physical device and not the phone number. There are even physical devices, like a key fob, that plugs into a USB port to verify identity. These options will protect you from insider jobs since having your phone number would not help with the 2-factor authentication method.

Resources-

https://www.wired.com/story/sim-swap-attack-defend-phone/

https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/

https://www.basunivesh.com/2015/07/13/what-is-mobile-phone-sim-swap-fraud-and-how-to-protect-your-bank-account/

https://www.iol.co.za/personal-finance/my-money/banking/how-crooks-use-sim-swaps-to-rob-you-1507185

https://motherboard.vice.com/en_us/article/j5bpg7/sim-hijacking-t-mobile-stories

https://www.zdnet.com/article/tmobile-bug-let-anyone-see-any-customers-account-details/