Written by John Preston
If we stop to think about what information we would be most afraid of losing, many users surely put their social networking applications before other things. However, not everyone is aware that there is something on our mobile phone that can be of great interest to criminals. It can turn data theft and identity theft into a theft of money from our bank account or cryptocurrency wallet.
SIM change phases
What we fill the storage space of our smartphone with and what we must bear in mind that this technique is not the result of a security breach in our devices. It is rather the lack of implementation of strict verification protocols when requesting a copy of our SIM card.
This technique is used together with other social engineering techniques in order to obtain benefits. Since what criminals are looking for in this case is to access the verification codes that companies, platforms and banking entities usually send to our mobile devices.
In the first phase, the criminals try to obtain the user’s credentials. Normally those related to online banking to maximize the economic benefit. Although, as we will see later, this is not the only objective. The theft of credentials is usually carried out through traditional social engineering techniques. Such as using fraudulent websites to which the user is redirected from a link sent in an email. Or through a fake mobile application that impersonates the identity of the entity bank.
Once the credentials are obtained, the criminals try to obtain a clone of the victim’s SIM in order to receive the verification codes by SMS (two-factor authentication). For that, cybercriminals take advantage of the poor identity verification measures that some operators usually request. After collecting the personal information of their victims, for example, through social networks, they make a call or physically appear in a store of the telephone company responsible for the SIM that they want to clone to request a duplicate of the card. Many times it happens that users realize that there is a problem when they stop having a signal on their phone.
It is not uncommon to see that criminals do not put up too many barriers when it comes to obtaining this duplicate SIM. This is a serious problem. Once this duplicate is obtained, the criminals can enter the victim’s bank account, make transfers or even request credits in their name. When confirming the operation they will have no problem. Because they receive the messages with the double authentication factor (2FA) in the cloned SIM.
Other attacks derived from SIM Swapping
Criminals are not just looking to access the bank accounts of their victims. Other valuable assets include cryptocurrency wallets or online service accounts. Such as, for example, those of Google.
In the latter case, if cybercriminals have obtained the victim’s credentials, they can bypass 2FA by requesting a one-time code sent by SMS. Once they have accessed the account, they can have control of our email account, contacts, etc.
The same can be said of access to other services, such as Facebook, Instagram, Tik Tok or similar. Something that can ruin the online reputation of the victim and that criminals take advantage of to blackmail them. They could, for example, obtain compromising photos and conversations and threaten to make them public unless payment is accepted.
Nor should we forget about other applications that we usually use to make transfers and that also allow us to store money. A clear example would be PayPal, which also incorporates 2FA in the form of an SMS message. In the event that criminals obtain the access credentials and a SIM clone, they could not only withdraw the saved funds, but also impersonate us to request money from our contacts.
Coping with SIM swapping
To fight against this threat, it would be necessary to completely rethink the identity verification procedure that many banking entities and online services still carry out. Unfortunately, it is not always possible to use the 2FA method that we want to use. This forces us to take more drastic measures. One of these measures would be to contact our operator and make sure that no cloning of our card is going to be carried out. Unless of course, we request it in person at a store or office with a document that identifies us.
In any case, for this measure to work, the operator must be able to strictly comply with our demands. This is quite difficult in some cases. As if that were not enough, there have been reports of cases in which criminals had the collaboration of employees of the mobile operator. Making it more difficult to block this malpractice.
Luckily, the security forces and bodies are aware of this technique. So we see how from time to time they dismantle a gang dedicated to this type of crime. One of the most recent operations took place at in Spain by the Civil Guard. They managed to arrest twelve people of different nationalities who would have obtained more than three million euros in profit.
Avoid being a victim of SIM Swapping
We have found that SIM Swapping is based on two different stages. The first focused on the extraction of personal data through social engineering. The second is when the information is used to develop the scam as such.
Do you want to be fully protected against these SIM Swapping attacks? Then it is important to have good common sense, as we have repeated on countless occasions. This means that you think very carefully if it makes sense for a bank to ask you for your passwords through WhatsApp. Or if a raffle that has come to you through Facebook does not make any sense. Likewise, the recommendations to follow are the following:
- Do not offer your personal data to anyone through the telephone calls you receive. The most common is that they will offer you a great discount in an electric or an operator.
- Learn to avoid phishing in SMS or email. Reading the URLs carefully and thinking about whether the information they are asking for makes sense.
- Avoid entering your personal data while you are connected to a public Wi-Fi network.
- Do not download unreliable applications.
- Block access to your personal data on social networks to anyone who is not your contact. In this case you can find a lot of data to make your profile.
- All these recommendations add up to the need to investigate and consult any problems you have on the network. Do not feel that it is something common to completely lose the coverage of your mobile device. Especially in an area where you have always had it and other people do not have this problem. The first thing to do is contact the operator to determine if a duplicate has been requested and your SIM card has been in the possession of another person.
- The second thing to keep in mind is to report to the authorities any type of fraudulent activity that you have been able to detect in order to initiate the corresponding investigations. Once here, they will be the ones who will recommend canceling phone cards. Or perhaps changing online banking passwords and even changing your phone number.