Oct 29 2020

SIM Swap Attacks: How to Detect and Prevent Them

SIM swap fraud can be used to bypass multifactor authentication. Here’s what government IT pros need to know.

For most individuals, including government workers, smartphones are a key part of their daily lives, connecting them to everything from their work emails to their bank accounts. However, malicious actors can access users’ phones as a way to steal their identities — and then their money and potentially their data — through a kind of cyberattack known as SIM swap fraud.

A SIM swap attack or SIM swap fraud can be used to impersonate someone so that the attacker gains access to the user’s phone number. The attacker can then use that access to contact a user’s bank or access other services, and can bypass multifactor authentication controls by having one-time passwords or PINs sent to the spoofed phone

An FBI report from September 2019 notes that SIM swapping is a common tactic cybercriminals are using to circumvent two-factor authentication.

“Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed,” the FBI report notes. “Many of these attacks rely on socially engineering customer service representatives for major phone companies, who give information to the attackers.”

The Federal Trade Commission has warned about SIM swap fraud and offers ways to detect and combat such attacks.

William Stofega, an IDC analyst who manages the Mobile Device Technology and Trends research program, says that once attackers have access to a user’s phone number on the fake phone, they can intercept SMS messages, phone calls and emails. Although SIM swap attacks are typically used for financial gain, Stofega notes that there is the potential for attackers to impersonate users and then gain access to data or sensitive information, something that should concern government agencies.

What Is SIM Swap Fraud?

First, some basics: A cellphone subscriber identity module (SIM) card is what is used to store user data in Global System for Mobile Communications (GSM) phones. All modern cellphones have SIM cards to connect to mobile networks.

In a SIM swap attack, a malicious actor first gathers as much information as possible on a target via phishing emails, malware, the dark web or social media research, according to a Norton blog post. From there, attackers go to work trying to get access to a user’s phone by contacting the customer service department at the user’s wireless carrier.

As Norton notes:

The scammers call your mobile carrier, impersonating you and claiming to have lost or damaged their (your) SIM card. They then ask the customer service representative to activate a new SIM card in the fraudster’s possession. This ports your telephone number to the fraudster’s device containing a different SIM. Or, they may claim that they need help switching to a new phone.

The attackers are persistent, Stofega notes, and their research may have given them PINs or answers to security questions, such as a user’s mother’s maiden name. Attackers can use stolen Social Security numbers to help authenticate themselves, Stofega says.

“It’s kind of a smishing or phishing attack,” he says. “Then, it’s about slowly gaining that information to take command of all of the different important accounts, because a lot of times we’ll have things linked. Passwords will be stored online, and it just becomes a waterfall effect where once they have some information, the adversary is able to gain quick control of other types of information that are particularly damaging.”

Attackers could set up a second bank account in the user’s name and transfer money between them, which might not set off alarm bells at the user’s bank, and then withdraw money from the second account.

For government agencies, there is the possibility that a SIM swap fraud could be used for more nefarious purposes. An attacker could impersonate a SIM swap victim in communications to colleagues and get them to send the attacker information. “It definitely does happen in terms of even more dangerous stuff, like access to certain secrets and bypassing things,” Stofega says.

He notes that users who have access to sensitive or national security systems would typically be well trained and not allow themselves to be the victims of such an attack. However, Stofega says, it “could be someone calling up somebody or convincing someone’s secretary to do certain things. It doesn’t take much.”

LEARN MORE: How can next-generation endpoint security protect users at home?

How to Detect a SIM Swap Fraud

A high-profile victim of a SIM swap attack surfaced last year when Twitter CEO Jack Dorsey fell victim to the fraud and the attackers used his Twitter account to send out offensive messages.

“One warning sign, as seen in Dorsey’s case, is social media activity that isn’t yours,” the Norton blog post notes.

Another sign that a SIM swap attack has taken place is that a user’s phone calls and text messages aren’t going through because the attacker has deactivated the user’s actual SIM card, Norton notes.

Wireless carriers may send a user an email if their SIM card or phone number has been activated on another device, according to Norton.

A surefire way to know that something suspicious is afoot is that a user’s login credentials for their bank or other accounts no longer work.

DISCOVER: How are feds approaching zero trust?

How to Prevent SIM Swap Fraud

Preventing SIM swap fraud requires vigilance on the part of individuals and agencies, especially if agencies have a BYOD policy for mobile phones and the IT department is not managing and securing users’ devices.

Stofega notes that IT staff are busier than ever these days and have multiple responsibilities. “They may not have the time to really figure out a way that this happened,” he says. “So, in a lot of cases it’s really the carriers that are the last line of protection.”

There are ways that users can be on guard against SIM swap attacks, the FTC notes. “Don’t reply to calls, emails, or text messages that request personal information,” the agency says on its website. “These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.”

Users should also limit the personal information they share online, the FTC notes, and avoid posting their full name, address or phone number on public sites.

Another safeguard is to set up a PIN or password on a cellular account, which “could help protect your account from unauthorized changes.”

Users should also consider “using stronger authentication on accounts with sensitive personal or financial information,” the FTC notes. “If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.”

EXPLORE: How are agencies approaching cybersecurity automation?

What Is Multifactor Authentication?

Most agencies are using some form of multifactor authentication for access to their networks or databases.

MFA includes something a user knows, such as a password or a PIN; something a user has, including a token or cryptographic device; and something the user is — a biometric identifier such as a fingerprint.

Additional factors can include time of day (would the user normally be logging on at this hour?) and how a user accesses information on personal devices over time (does the user tap into email first or check the weather?).

The Defense Information Systems Agency has explored other ways to validate users’ identities through biometrics that go beyond the normal methods of authentication. These include a user’s gait, or manner of walking.

As of last year, the federal government stood at a 93 percent adoption of standard two-factor personal identity verification cards, according to a 2018 Office of Management and Budget analysis of cybersecurity across agencies.

How to Improve MFA Security

As SIM swap fraud makes clear, some forms of multifactor authentication can be defeated. Stofega argues that there are some ways it can be improved, including sending out verification codes from a “pristine” database that would not be fooled by a user with someone’s phone.

Another way to improve MFA is verification via a user’s photo or video, though those tactics can also increasingly be defeated by deepfakes, which use deep machine learning to alter videos and fake someone’s appearance.

One factor of authentication that might not be as easy to fake is a user’s voice or retinal scan, Stofega says, although those can be bypassed as well. Attackers could be persistent and tell security authorities that their retinal scanner isn’t working, for example.

Stofega says that users’ awareness and training can go a long way to ensuring that MFA remains as secure as possible.

Tero Vesalainen/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.