The Federal Bureau of Investigation (FBI) warns of a sharp increase in scams using smartphone SIM card swapping to defraud victims.
Swapping subscriber identity modules (SIMs) is an old trick, but the FBI has issued a new alert about it due to a massive jump in reported cases in 2021 compared to previous years.
Smartphones are essential tools for authenticating with online services, such as banks that use SMS for login codes. This is a serious problem – if scammers can take control of these services, they can gain access to the victim’s bank, emails, social networks and bank accounts. Complaints to the FBI’s Internet Crime Complaint Center (IC3) have skyrocketed over the past year.
SEE: Cybersecurity: let’s get tactical (ZDNet special report)
From January 2018 to December 2020, the FBI received 320 complaints related to SIM card swapping incidents with losses of approximately $12 million. In 2021, it received 1,611 SIM swapping complaints with losses of more than $68 million, the FBI warned in a new public service announcement.
Scammers abuse mobile network operators’ call center support services by calling them and posing as customers to get a new SIM card. The victim is unaware that a new SIM card is connected to their phone number, which gives attackers the access they need.
“Once the SIM card is swapped, the victim’s calls, texts and other data are redirected to the criminal’s device. This access allows criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests “to the victim’s email address and other online accounts associated with the victim’s cell phone number,” warns the FBI’s IC3.
“Using SMS two-factor authentication, mobile app providers send a link or unique passcode via SMS to the victim’s number, now owned by the criminal, to gain access to the accounts. The criminal uses codes to log in and reset passwords, gaining control of online accounts associated with the victim’s phone profile.”
To improve security, many organizations use SMS messages as a form of multi-factor authentication because the account owner is assumed to have control of the device. SMS-delivered codes are convenient due to their high adoption rate and the belief that SMS is better than simply relying on a password that can be compromised. SIM swapping is a way for scammers to circumvent this security.
As Microsoft and others have argued, SMS is an insecure and unreliable way to provide codes to authenticate to online accounts. Microsoft wants organizations to use apps, such as its Authenticator, because they’re a harder target to compromise.
The FBI details the many ways attackers can not only trick but also lure mobile network operator employees for nefarious purposes. From an attacker’s perspective, the rise of cryptocurrencies like Bitcoin and the reliance of exchanges on phones for authentication add to the appeal of SIM swapping scams.
“Criminal actors primarily conduct SIM card swapping programs using social engineering, insider threats, or phishing techniques,” the FBI’s IC3 states.
The attacker often poses as a victim and tricks the employees of the mobile operator into transferring the victim’s mobile phone number to a SIM card in the criminal’s possession.
“Criminal actors using an insider threat to run SIM card swapping programs pay a mobile operator employee to transfer a victim’s cell phone number to a SIM card in the possession of the criminal “Criminal actors often use phishing techniques to trick employees into downloading malware that is used to hack into mobile carrier systems that perform SIM card swaps,” FBI IC3 says.
SIM swapping is a real problem. In December, T-Mobile confirmed that the SIM swapping caused a major data breach. A former employee of a US mobile operator was convicted in October of accepting bribes of up to $500 a day to exchange phone numbers. Carriers also lack procedures to help customers when they fall victim to SIM swapping scams, as detailed in a 2019 personal account by ZDNet mobile specialist Matthew Miller. It is also a global problem for telecommunications operators. Australia’s Telstra now notifies banks when a mobile number is ported to counter SIM swapping attacks.
FBI tips for protecting yourself include:
- Do not post information about financial assets, including cryptocurrency ownership or investment, on websites and social media forums.
- Do not provide your mobile phone number or account information over the phone to representatives asking for your account password or PIN. Check who they really are by dialing your mobile carrier’s customer service line.
- Avoid posting personal information online, such as cell phone number, address, or other personally identifying information.
- Use a variation of one-time passwords to access online accounts.