Sharp SIM-Swapping Spike Causes $68M in Losses

The attacks, which lead to 2FA defeat and account takeover, have accelerated by several hundred percent in one year, leading to thousands of drained bank accounts.

SIM-swapping – the practice of duping mobile carriers into switching a target’s phone services to an attacker-controlled phone – is on the rise, the Feds are warning – leading to millions in losses for consumers who found their bank accounts drained and other accounts taken over.

Subscriber Identity Modules (SIMs) are small chips inside mobile phones that allow the carrier to identify and register subscriber devices – a requirement to provide service to them. Most SIM-swapping attacks take the form of social engineering, where the criminals impersonate victims and convince customer-service agents to change over victims’ services to new phones that they control.

Infosec Insiders Newsletter

Once the service has been redirected, the crooks have access to any of the victims’ calls, texts, voicemails and saved profile data, which allows them to send “Forgot Password” or “Account Recovery” requests to the victim’s email, which enables them to easily defeat two-factor authentication that uses one-time passcodes and thus to crack high-value accounts.

While SIM-swapping (aka SIM-jacking) isn’t a new practice, the attacks now seem to be accelerating at a rapid clip: Last year, the FBI Internet Crime Complaint Center (IC3) received 1,611 SIM swapping complaints with adjusted losses stemming from resulting account takeovers and data theft totaling more than $68 million, it said this week. In contrast, for the entire three-year period between January 2018 to December 2020, there were just 320 SIM-swapping complaints, with adjusted losses of approximately $12 million.

SIM-Swapping: All Too Easy

It’s usually not a difficult plan to execute successfully, given that many carriers don’t ask in-depth security questions that fully verify that the caller is in fact the legitimate cell phone user. Often, the challenge questions can be answered with previously phished information or even with public information found on social-media sites.

The epidemic of large-scale data breaches also contributes to the gambit’s high rate of success, according to Chris Clements, vice president of solutions architecture at Cerberus Sentinel.

“When people wonder what the consequences of large-scale data breaches are, this is exactly it,” he noted via email. “Both people and companies have become conditioned to being able to verify identity through simple questions like Social Security number or mother’s maiden name.  Unfortunately, this falls apart completely when data breaches affecting millions of people routinely occur.”

Other attack vectors include phishing and insider-threat avenues. For instance, when it came to light in 2019 that Twitter CEO Jack Dorsey was the victim of a SIM swap, the New York Times reported that “hacking crews have paid off phone company employees to do…switches for them, often for as little as $100 for each phone number.” Again, this type of accomplice-cultivation isn’t unusual – it even resulted in a lawsuit for AT&T in 2018.

SIM-swapping is not just happening in the United States, either: The Spanish National Police, for instance, this week busted open a SIM-swapping ring that got around carriers’ photo-based account verification by using non-original photos of victims to request swaps.

Protection Responsibility Lies with Carriers

There’s very little that end users can do to avoid becoming victims of SIM-jacking jerks (although the FBI recommends a few protection steps, below). Primarily, it’s the mobile phone company’s responsibility to keep its house in order, researchers said.

“All organizations, but especially service providers must move from more simplistic means of validating identity to more sophisticated ones,” Cerberus’ Clements said. “PIN codes unique to each user’s account can be one way of adding additional security to the process. ‘Out of wallet’ questions are another alternative that works by verifying much harder to compromise information such as last three home addresses or cars. It may be more of a hassle for everyone, but it’s simply no longer viable to rely on information that has been routinely compromised to validate a person’s identity.”

Another best practice that all businesses can implement is to move on from SMS-based 2FA, others said.

“SIM-swapping attacks have been going on for over a decade and have likely resulted in billions in stolen cryptocurrency and other financial crime,” Roger Grimes, data-driven defense evangelist at KnowBe4, said via email. “SMS-based MFA has to be the most popular MFA option used on the internet, and most of the time, people do not have a choice of whether to use it or not. Their bank, vendor or service says they have to use it. And, let me say again, the U.S. government has said not to use it since 2017. The better question to ask is why so many services and vendors are still using SMS-based and phone-number based MFA five years after the U.S. government said not to use it? Why are we so slow and broken?”

The FBI recommended this week that mobile carriers take the following precautions:

  • Educate employees and conduct training sessions on SIM swapping.
  • Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
  • Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.
  • Authenticate calls from third-party authorized retailers requesting customer information.

SIM-Swapping Consumer Protection Tips

The FBI also recommended this week that individuals take the following precautions:

  • Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social-media websites and forums.
  • Do not provide your mobile number account information over the phone to representatives that request your account password or PIN. Verify the call by dialing the customer service line of your mobile carrier.
  • Avoid posting personal information online, such as mobile phone number, address or other personal identifying information.
  • Use a variation of unique passwords to access online accounts.
  • Be aware of any changes in SMS-based connectivity.
  • Use strong MFA methods such as biometrics, physical security tokens or standalone authentication applications to access online accounts.
  • Do not store passwords, usernames or other information for easy login on mobile device applications.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles