Yesterday (February 9, 2022) the FBI issued a warning to inform the American public and mobile carriers about the increasing threat of SIM (Subscriber Identity Module) swapping. In 2020, criminals stole more than $100M according to Tru.ID and the FBI is reporting that in 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million. Meanwhile, SIM swap fraud reports have increased by 400% in the past five years according to Which? Also, the Federal Communications Commission recently announced it plans to begin a formal rulemaking process to stop SIM-swapping attacks, citing the growing danger and complaints from victims themselves. This new attack vector is here and it’s on the rise.
What is SIM swapping?
A SIM swapping attack consists of moving control of someone’s phone account from their SIM card to one controlled by a criminal. Criminals operate by obtaining a victim’s PII (bank information, address, etc.) via social networks or by accessing information stolen during a data breach, before contacting the victim’s mobile phone provider and pretending to be the victim, requesting a SIM swap and changing personal settings. Sometimes, the criminal even works with an insider to assign the victim’s mobile number to another SIM card. Another tactic consists of requesting a porting authorization code [PAC] to port the victim’s mobile number to a different network. And when the criminal owns the victim’s number, then they’re able to intercept bank authorizations sent via SMS or any other codes for which a mobile number is required. SIM swapping is an urgent problem for the simple reason that nobody is safe. Financial gain is naturally the biggest motivation for SIM swap, so criminals aim at targeting victims with savings or investments.
How can a SIM swap be prevented?
There are two ways, physical and technical, SIM Swapping can be mitigated. The FBI has listed the physical steps that both individuals and mobile carriers can take to prevent these types of attacks. Nothing new here, these best practices have been shared to prevent other types of attacks as well:
- Avoid posting personal information online
- Don’t advertise your investments on social site and forums.
- Make sure you have good password hygiene and implement MFA whenever possible.
- Be aware of any changes in SMS activity
- Educate employees of SIM swapping activities and be diligent in spotting phishing attacks.
- Implement strict protocols when verifying customer credentials and authenticate calls from third parties requesting customer information.
Up until recently, there was little that could be done from a technical perspective. However, 1Kosmos has released SIM Binding capabilities that will aid in the prevention of SIM swapping attacks. This new feature available on the BlockID app, allows customers to link their account only to a phone number registered with an institution or employer. During registration on the BlockID app, the user is challenged to verify their phone number. A combination of SIM detection and SMS verification is used by the BlockID platform to validate a user’s mobile number against the number registered with their service provider. If validated, then the account, user, and device are linked. Mobile devices have become a popular and effective authentication mechanism for online banking, and many other access applications, but they are vulnerable to account takeover attacks if the phone number of record is changed by an attacker. The SIM Binding from 1Kosmos BlockID now prevents criminals from transferring a user’s authorized phone number to another device in order to access their accounts.
Physical prevention on its own is not enough. These are great in theory but there needs to be more. Frankly, people make mistakes. But by combining the two methods, physical and technical, SIM swapping becomes a more difficult attack method and may stop attackers in their tracks.
Want to learn more about 1Kosmos SIM Binding? Check out this SIM Binding DataSheet.