SIM Swap Fraud Prevention and the Role Mobile Network Operators Play

With the rise of cellular technology, our mobile phone has become our primary means of authenticating online transactions. As such, it should not come as a great surprise that bad actors started targeting mobile devices as a primary attack vector. One such vector that often combines technical know-how and social engineering is SIM swapping. Because of this, we should all strive to educate ourselves more on the methods of SIM swap fraud prevention.

With potentially devastating repercussions for individuals and businesses, these attacks can be stopped. But where does an MNO even begin to protect their business and subscribers alike?

In an era where a person’s identity is directly tied to their mobile devices, the cellular SIM is used as a means for personal identification. Whoever controls the SIM can assume the identity of the SIM’s subscriber by sending SMS messages and making phone calls appearing to originate from the original subscriber. More dangerously, these capabilities can be used to access financial services and perform fraudulent transactions by presenting the stolen identity.

A recent example of this is Robert, who claims a malicious hacker tricked an AT&T customer representative into redirecting his phone number to a new SIM card. Once SIM control was established, Gmail’s “forgot my password” feature was used to send the hacker an SMS message resetting the account’s password. 

With full control over Robert’s email address, the hacker proceeded to access financial accounts, converting over one million dollars into bitcoin cryptocurrency and wiring the funds directly into the hacker’s crypto-wallet. Beyond just funds, the hacker managed to obtain clear copies of Robert’s birth certificate, passport, and driver’s license, leading to identity theft threats. 

It took only 20 minutes from the moment the SIM was swapped by the customer representative to the time financial accounts were cleaned out. This left little to no time to present a defense.

Other than high profile cases reported in the media, statistics on SIM swapping attacks are relatively scarce. This is due to institutional fears for the loss of reputation, especially in the financial sector. However, a Princeton University study found that five major U.S. wireless providers tested were found to be vulnerable to simple social engineering techniques. In Europe, Europol announced arrests of more than two dozen people suspected of using SIM swapping techniques to drain the bank accounts of unsuspecting victims.

Two-factor authentication (2FA) through an SMS message or a phone call requires the service provider to generate a one time password (OTP). It is needed to access the service in combination with previously specified login credentials. 2FA is mainly used when trying to initiate an online action (e.g., logging in). Once sent, the code must be entered before proceeding with further steps. 

When a SIM is compromised, the SMS or phone call containing the authentication code is instead rerouted to the fraudster who duplicated the SIM. This then provides them with illicit access to secure services.

One of the major concerns when it comes to SIM swapping is the speed at which attacks are carried out. Once a SIM has been compromised, hackers don’t waste time; any financial and personal information is quickly extracted. Desirable items such as cryptocurrency and customer loyalty reward programs being favored for exploitation. Moreover, with users often relying on WiFi connectivity in addition to their cellular connection, it may take precious hours for an end-user to realize their SIM has been hijacked.

Beyond the risk to subscribers, SIM swapping attacks can have a detrimental impact on a service provider’s brand’s reputation, financial stability and may incur additional liabilities under law. Other services relying on SMS/Calls for authentication, such as email, banks, and financial institutions, are directly impacted as a hacker can easily create new login credentials using a redirected phone number.

Reggie Middleton, the chief executive of crypto company Veritaseum, is suing cellular network provider T-Mobile for allegedly enabling the theft of $8.7 million worth of cryptocurrency in a series of SIM-swapping attacks.

According to a court filing, Middleton was initially targeted during the month of July 2017. Despite reporting the incident to T-Mobile, Middleton asserts to have been the victim of 4 successful attacks over the rest of 2017, with further attacks detected during 2018 and 2019. 

The lawsuit accuses T-Mobile of having “abjectly failed” in its responsibility to protect subscribers' personal and financial information. 

Mobile network operators connect cellular phone numbers to specific devices by linking the mobile device to the mobile operator’s SIM’s account identifier. By cloning or splitting a SIM, attackers can gain access to privileged information and bypass SMS two-factor authentication. Both attack vectors rely on opportunity and public exposure.

An attacker with physical access to a mobile device can clone the device’s SIM card using specialized tools in as little as 10 minutes. Once the SIM has been cloned and activated in a new device, the original SIM is likely to disconnect, providing an attacker with the path required to bypass SMS and phone call verification security procedures.

Unlike SIM Cloning, SIM Splitting does not require physical access. SIM Splitting works by adding a second SIM card to the same mobile account through the subscriber’s mobile network operator.

SIM Splitting requires access to the mobile network operator’s internal tools. Fraudsters may gain this level of access by researching their victims, finding valuable, personally identifying records that can be used to bypass security questions. When a target profile is ready, the fraudsters will contact the mobile network operator’s call center and request a new SIM card. Relying on profile research, powers of persuasion, and even bribery, fraudsters will try to convince the call center representative to switch the SIM to a new device in order to gain full access to SMS and phone call authentication.

A more recent SIM Splitting trend involves using social engineering techniques. By convincing mobile network operator employees to provide remote desktop access, hackers can gain direct access to systems with the tools required to perform the SIM Splitting themselves. This technique is already well known to American mobile network operators. 

In a VICE magazine article on the topic, an AT&T spokesperson stated, "We are aware of this particular tactic in the industry and have taken steps to prevent it. Determined, sophisticated criminals employ fraudulent SIM swaps to commit theft. That is why we are working closely with our industry, law enforcement and consumers to prevent this type of crime". In the same article, a spokesperson for Sprint Mobile also confirmed it is aware of SIM swappers using the RDP method.

In many countries, there are procedures in place to allow mobile network subscribers to switch carriers while maintaining their phone number. Using similar research and social engineering skills that are used in SIM splitting, a hacker can sign up to a new MNO using stolen credentials and convince a customer representative to port the SIM’s number to a device on the new network. 

In some jurisdictions, this is further complicated by regulations that prevent the original MNO from refusing to port the SIM’s number, adding burden on the original subscriber trying to restore access.

Once a SIM has been split, attackers will try making it more difficult for the original account holder to restore access by locking down the account. This is done by changing the account’s passwords and security questions, requiring a much more rigorous identification process by the original account holder while providing the thieves with additional time to pilfer sensitive information.

With SIM swapping attacks increasing in popularity, mobile network operators must enhance their security practices to combat this growing phenomenon. Here are some of the solutions MNOs can take to limit their exposure:

The Princeton University study of North American cellular companies that offer prepaid services (AT&T, T-Mobile, Verizon Wireless, US Mobile, and Tracfone) found that in most cases, researchers were able to fraudulently port their own phone number to a new SIM thanks to a lack of strong verification processes.

The study did not use advanced fraud tactics; it found that repeated mistakes made when answering security questions were ignored and that in some cases, customer service representatives did not even try to authenticate the caller. And worse, at times, customer representatives even leaked account information prior to authentication.

Clearly, blindly following a predetermined script may not yield the best results. Fraudsters seek ways to subvert scripted actions and socially engineer customer support representatives to do their bidding. Employees and machine learning AI algorithms can and should be trained to flag suspicious account activity based on a preset of proven security metrics and heuristic behavior models.

The insecure nature of SMS and phone call authentication has seen a shift to newer, more secure technologies. Moreover, solutions to secure these vulnerabilities are readily available for MNOs and telcos to implement.

Multi-factor authentication that is not based on an SMS message for verification but instead uses encrypted communication or token generating hardware. This lets services and providers grant a subscriber with a one-time password, scannable QR code, or simply request access authorization on a pre-approved device. A good example of this type of multi-factor authentication is Google Authenticator.

Another example is the action mobile network operator Orange took with their optional Mobile ID program. By creating their own network subscriber ID system, Orange was able to enhance multi-factor authentication security while at the same time improving the subscriber experience.

Most mobile devices on the market today support some form of biometric identification technology. Whether it is based on fingerprint scanning, image face recognition, or 3D facial scanning, biometrics can add an additional layer of security to multi-factor authentication.Cellular network-level protection

Cellular network-level protection services work behind the scenes to detect and prevent multiple attack vectors that may threaten your device or leak your information. This includes fake cell towers, Man in the Middle attacks, malicious SMS/MMS, and more. When a security violation is detected, a notification process can be immediately initiated to inform both the subscriber and the network operator of the incident.

By requiring a security pin given to a subscriber when initially signing up for a service, access to exploiting customer service representatives through social engineering can be severely limited.

To combat SIM swapping in Africa, a joint venture between MNOs and financial institutions added an extra security measure. A new system was introduced to provide financial institutions with the ability to determine if a subscriber’s SIM was recently swapped into a new mobile device. With the measure in place, SMS/Phone authentication can be blocked for a specified period, preventing hackers from abusing the time required for the original subscriber to regain control of their account.

By adopting behavioral heuristics using machine learning techniques, MNOs can potentially detect, alert, and stop suspicious subscriber behavior before it escalates into a full account takeover.

I hope you this article helped you learn a little more about SIM swap fraud prevention.

One simply can not rely on outdated SIM and SMS technologies for secure authentication. Reputation-crushing examples of failure are exposed on a regular basis. Security demands that steps be taken toward new technologies that utilize encrypted communication and secure practices.