/////////////////////////////////////
FINAL WORD
The enemy in your
pocket: large-scale
SIM swap fraud
With mobile phone payments now hugely popular,
cybercriminals have been targeting the market in
a wave of attacks. With SIM swap fraud nowadays
conducted on a large scale, Fabio Assolini, Senior
Security Researcher, Global Research and Analysis
Team, Kaspersky Lab, tells Intelligent CIO how
cybercriminals complete the fraud and the best
ways to avoid being the next victim.
M
obile payment is huge worldwide.
Mobile phone-based money
transfers allow users to access
financing and micro-financing services, to
deposit, withdraw and pay for goods and
services easily with a mobile device. In some
cases, almost half the value of a country’s
GDP goes through mobile phones.
But nowadays these mobile payments are
suffering a wave of attacks and people are
losing their money – all powered by SIM
swap fraud. Such attacks are nowadays
conducted on a large scale.
SIM swap fraud is a type of account takeover
fraud that generally targets a weakness in
two-factor authentication and two-step
verification, where the second factor or step is
a SMS or a call placed to a mobile telephone.
The fraud centres around exploiting a mobile
phone operator’s ability to seamlessly port a
telephone number to a new SIM.
This feature is normally used when a
customer has lost or had their phone stolen.
Attacks like these are now widespread, with
cybercriminals using them not only to steal
credentials and capture OTPs (one-time
passwords) sent via SMS but also to cause
financial damage to victims.
84
INTELLIGENTCIO
If someone steals your phone number,
you’ll face a lot of problems, especially
because most of our modern two-factor
authentication systems are based on SMSs
that can be intercepted using this technique.
Criminals can hijack your accounts one by
one by having a password reset sent to your
phone. They can trick automated systems
– like your bank – into thinking they’re you
when they call customer service. And worse,
they can use your hijacked number to break
into your work email and documents. And
these attacks are possible because our
financial life revolves around mobile apps
that we use to send money, pay bills, etc.
How the cybercriminals do it
The scam begins with a fraudster
gathering details about the victim by using
phishing emails, by buying information
from organised crime groups, via social
engineering or by obtaining the information
following data leaks.
Once the fraudster has obtained the
necessary details they will then contact
the victim’s mobile telephone provider.
The fraudster uses social engineering
techniques to convince the telephone
www.intelligentcio.com