SIM swapping: The danger inside your phone

03/15/2021
G DATA Blog

SIM swapping targets people from various areas of life. A taxi driver is technically not less vulnerable to this attack as a business owner. In this article we cover how it works, offer prevention measures and present tips if you're being SIM swapped right now.

What is SIM swapping?

SIM swapping is also known as SIM hijacking and SIM splitting. It's a method where malicious actors takeover a variety of accounts by tricking mobile carriers. The actor uses social engineering to gather information about the victim.

Here is how it works: Once the fraudster collected enough information, the victim's mobile carrier is contacted. During the conversation, it's typical that the fraudster presents themself as a victim. The crook asks to port the victim's phone number to a SIM card under the control of the crook. A presented reason to the mobile carrier could be the lost access to the phone. The security questions asked by the mobile carrier employee are answered by the fraudster with the previously gathered information about the victim.

In the final step, the crook needs to get access to the new SIM card sent out by the mobile carrier. This is either done by the use of further social engineering to change the victims address or being physically at the victims place to catch incoming post from the postman.

After the whole procedure is done, the actor now receives the victims calls and text messages. The victim loses access to the phone number.
 

Note: The feature to port a telephone number to a different SIM is a convenient feature when a customer has lost the device or simply wants to switch the service to a new phone. The feature is not fraudulent per se!

 

 

Am I being SIM swapped?

Do you feel that you're a victim of a SIM swap attack? Then you should act quickly by contacting your mobile carrier and resolve the issue together. Sometimes this isn't easy to spot as we're all busy with our daily lives.

Here are 3 signs that may tell if you might be SIM swapped:

  1. Calls and texts don't work: You don't receive the planned call by your relative that night. Furthermore, you don't receive the "Sorry, I'm late" message and can't contact the relative on your own either. This is a huge warning sign.
  2. Unusual activity: You may get mail notifications about logins from new devices by services like Google and Facebook. You want to prevent further damage here first (call your mobile carrier)!
  3. Lost account access: Login to a service like Facebook isn't possible anymore? Final warning sign, but better late than never.

Cases of SIM swapping attacks

Twitter's CEO Jack Dorsey: The actor successfully took over the Twitter account of Jack Dorsey. After the takeover, offensive messages about Nazi Germany were seen on the account. The actor approximately had 20 minutes of control over the account and was able to see private messages as well - Everything the real owner is usually able to - source.

5000 victims: A sim swap scam targeted over 5000 victims in Brazil. The scam affected citizens, politicians and even governors. Online banking customers reported losses of up to 50'000$ from their bank accounts. - source.

24'000'000$ lost: In the case of Michael Terpin, the actor took over crypto wallets with the help of a SIM swap attack on the service provider AT&T. In a lawsuit, AT&T argued that there is no clear connection about his subscription and the theft. Up until today, the case is still open. - source.

Case study: When targeting crypto asset owerns, SIM swapping can be very lucrative. In a blog post of Chainalysis, the flow of the funds after a SIM swap fraud is shown. The funds partially ended up on exchanges with regulations in place. This means that those exchanges have information about the customers who received those funds, which is very valuable information in a law suit.

8 men arrested: This story happened more recently on the 11. February 2021. Criminals hijacked social media accounts from well-known people. The intention was to steal money, cryptocurrency and address books. - source.

What can I do in case I was SIM swapped?

The most important thing is to act fast. If you have reason to believe that you have been SIM-swapped, speed is of the essence. Since your phone number often effectively doubles as a password, any accounts that are linked to your phone number should be deactivated to prevent abuse. Here is a number of things you might want to do immediately:

  • From a trusted device, log on to all the accounts you have in any way linked to your phone number. Locate and use the "log out of all active sessions", if the option is at all available.
  • Change passwords to those accounts immediately.
  • Remove the phone number from your account, e.g. if you have enabled 2 factor authentication via text message.
  • If you are using any mobile banking, contact your bank and ask them to deactivate online or mobile banking for your account. Make sure you explicitly state that your SIM card may have been compromised. Failing that, a last resort might be to deliberately perform multiple failed logins on your online banking platform. This usually leads to access to the account being locked until you contact your bank. At the very least you will get a temporary lockout.
  • Contact your mobile carrier. It is usually best to walk into a brick-and-mortar store to settle this. Make sure to bring a valid photo ID and - if possible - a copy of your latest monthly invoice.

How to prevent a SIM swap attack?

SIM swap attacks can be prevented if you limit information you share online. If you don't share your complete name, telephone number or address, fraudsters have a hard time completing your security questions when calling the service carrier you're using. Another useful tip here: You do not necessarily need to provide "real" information to your security questions. For instance, you could put in your favourite holiday destination instead of your city of birth. Sure, using the real information makes it easier to remember. But with the huge wealth of data that is to be found online these days, it is not always that hard to find things like a pet's name or your mother's maiden name or your place of birth etc. The downside is: you have to keep tabs on which information you provided where. Conveniently enough, you can use a password manager to do that. Some even have a dedicate "secure notes" function for exactly this sort of thing. And using a password manager is also generally a good idea.

We advise to stop using phone calls or sms for the two-factor-authentification. Sure, it is better than nothing - but both text messages as well as calls can be faked easily. The gold standard would be to use authentification apps or hardware based authentification devices. With that you're making sure that you don't rely on another party to authorize yourself.

Be aware of phishing. You already stopped to share too much sensitive information online? Good. The next discipline to master is to be cautious of mails requiring personal information of you. In that case It's best to check for the real number of the service the mail is from and call them about this issue directly. And remember: information that might have leaked online already has to be considered "public", at least to a degree. Anyone with enough motivation can find it - sometimes months or even years down the line. After all, how often do you change your phone number? So putting in additional safeguards is a wise thing to do.

If you follow all this advice, you should be a lot safer!

G DATA Security Lab
Virus-Analyst Team