FINAL WORD
company to port the victim’s phone
number to the fraudster’s SIM, for example,
by impersonating the victim and claiming
they have lost their phone. They then ask
for the number to be activated on a new
SIM card.
After that the victim’s phone loses its
connection to the network and the
fraudster receives all the SMSs and voice
calls intended for the victim. This allows
the fraudster to intercept any one-time
passwords sent via SMS or telephone calls
made to the victim; all the services that rely
on an SMS or telephone call authentication
can then be used.
We have found that some of the processes
used by mobile operators are weak and
leave customers open to SIM swap attacks.
For example, in some markets in order to
validate your identity the operator may
ask for some basic information such as full
name, date of birth, the amount of the
last top-up voucher, the last five numbers
called, etc.
on the carrier’s network – all a fraudster
needs is just one credential, even from a
small branch from a small city, to give them
access to the carrier’s system. the victim. Some victims reported losses of
US$3,300 in fraudulent transactions.
The interest in such attacks is so great among
cybercriminals that some of them decided
to sell it as a service to others. Normally, a
criminal can conduct an attack in two or three
hours without much effort, because they
already have access to the carrier’s system or
an insider. 1. Voice and SMS must be avoided as
authenticity mechanisms
The fraudsters fire in all directions;
sometimes their attacks are targeted,
sometimes they’re not. All a fraudster needs
is your number, and it’s very easy to find
it by searching through leaked databases,
buying that database from data brokers
(some of them are legal), or using apps like
TrueCaller and other similar apps that offer
caller ID and spam blocking, but which also
have some privacy issues and a name-based
search for subscribers. Sometimes your
number can be found by simply doing a
Google search.
Fraudsters can find some of this information
on social media or by using apps such as
TrueCaller to get the caller name based on
the number. With a bit of social engineering
they also try to guess the voucher amount
based on what’s more popular in the local
market. And what about the last five calls?
One technique used by the fraudsters is to
plant a few ‘missed calls’ or to send an SMS
to the victim’s number as bait so that they
call back. The first sign that something is not quite right
is when you lose your smartphone signal
somewhere that normally has a strong signal.
Sometimes the target is the carrier and not
the customer. This happens when a carrier’s
employees working in branches in small
cities are sometimes unable to identify
a fraudulent or adulterated document,
especially branches located in kiosks or
shopping malls, allowing a fraudster to
activate a new SIM card. Then they begin messaging the contacts in
the victim’s name, citing an emergency and
asking for money. In some cases, they feign
a kidnapping situation, asking for an urgent
payment – and some of the contacts will
send money.
WhatsApp is the most popular instant
messenger in a number of countries where
the app is used by fraudsters to steal money
in an attack known as ‘WhatsApp cloning’.
After a SIM swap, the first thing the criminal
does is to load WhatsApp and all the victim’s
chats and contacts.
Another big problem is insiders, with some
cybercriminals recruiting corrupt employees,
paying them US$10 to US$15 per SIM card
activated. The worst attacks occur when a
fraudster sends a phishing email that aims to
steal a carrier’s system credentials. The fraudsters performed a SIM swap,
activating the victim’s number on another
SIM card. Then, on a smartphone with the
pag! app installed, the fraudsters used the
app’s password recovery function and a
code was sent via SMS, allowing the bad
guys to gain total control of the user’s
account in the app.
Ironically, most of these systems don’t use
two-factor authentication. Sometimes the
goal of such emails is to install malware Once this access is obtained the fraudsters
performed several illegal payments with the
credit card issued in the app in the name of
86
INTELLIGENTCIO
How not to be the next victim
When possible, we recommend users avoid
two-factor authentication via SMS, opting
instead for other ways, such as generating
an OTP in a mobile app (like Google
Authenticator) or using a physical token.
Unfortunately, some online services don’t
offer an alternative; in that case, the user
needs to be aware of the risks.
2. The new era of biometrics
Some operators have implemented
additional security mechanisms that require
the user to authenticate through voice
biometrics using a passphrase such as ‘my
voice is my password’ – the technology
works reasonably well, even detecting if
the voice is a recording, or if the user has
flu. However, the major stumbling block
that we observed is the very low enrolment
base. Besides, it’s considered an expensive
solution, especially for emerging markets,
and requires some additional effort to
integrate with backend systems.
3. Automated SMS: ‘Your number will
be deactivated from this SIM card.’
When a SIM change is requested, operators
can implement an automated message
that’s sent to the number alerting the owner
that there’s been a SIM change request
and if it’s not authorised, the subscriber
must contact the fraud hotline. This will not
prevent the hijacking itself, it will instead
alert the subscriber so that they can respond
faster in the case of malicious activity. The
main drawback is that the subscriber may be
outside the coverage area.
Some carriers have implemented an
additional layer of confirmation for any case
of SIM activation, offering the option of
configuring a password in their systems. This
password will be required for any changes
associated with your number, such as big
changes in your monthly bill or even when
you need a new SIM card. Talk to your carrier
to check if they already offer this additional
security for your number. n
www.intelligentcio.com