In recent times, the prevalence of SIM swapping has posed to be one of the biggest cyber threats that Cryptocurrency analytics companies have overlooked. The information that can potentially be acquired by criminals using this fraudulent method makes it a big threat to individuals and their privacy.
This article will focus largely on SIM swapping, typical scenarios on how SIM swappers swindle millions of individuals and how they can be curtailed with emerging technologies.
SIM swapping is a relatively simple concept to understand, however, the potential damage that can be done to the individual is scary, to say the least. SIM swap fraud is a type of account takeover fraud that targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone.
This fraudulent practise centers around exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM. Attacks like these are now widespread, with cybercriminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS but also to cause financial damage to victims.
A contextual representation of SIM swapping as underlined by Kaspersky labs can look like this;
An attacker arrives at a regional department of a communications provider with fictitious documents that are supposed to prove a customer’s valid identity. While in some cases, the attacker simply gets in close contact with an employee of the department and receives a duplicate of a victim’s SIM card. The authentic SIM card in the victim’s phone turns off at that moment, so all subsequent SMS communications and phone calls are redirected to the attacker’s phone.
Whatsapp Cloning Scheme
‘Whatsapp’ is the most popular instant messenger in a number of countries where the app is used by fraudsters to steal money in an attack known as ‘Whatsapp cloning’. After a SIM swap, the first thing the criminal does is to load Whatsapp and all the victim’s chats and contacts. Then, they begin messaging the contacts in the victim’s name, citing an emergency and asking for money.
In some cases, they feign a kidnapping situation, asking for an urgent payment and some of the contacts are persuaded enough to pay the lump sum being requested for. Some of the attacks targeted companies, with executives supposedly contacting their financial departments asking for funds, when in fact it was fraudsters using Whatsapp accounts hijacked in a SIM swap. It is more or less like a BEC (Business E-mail Compromise), but using your Whatsapp account.
SMS Schemes in Brazil
The Fintech boom in Brazil started with companies offering credit cards and bank accounts with no charge, especially after the successful launch of Nubank in 2013. Most of them still rely on two-factor authentication via SMS. The ease with which a SIM swap can be performed helped fraudsters orchestrate new ways of emptying user-banking accounts.
According to a report by Gizmodo Brazil, popular Brazillian fin-tech firm, Meu Pag’s customers were robbed off thousands of dollars. The fraudsters performed a SIM swap, activating the victim’s number on another SIM card. Then, on a smartphone with the ‘pag!’ app installed, the fraudsters used the app’s password recovery function and a code was sent via SMS, allowing the swindlers to gain total control of the user’s account in the app. Once access was obtained, the fraudsters performed several illegal payments with the credit card issued in the app in the name of the victims. Some victims reported losses of US$3,300 in fraudulent transactions.
SIM Fraud in Mozambique
The case of SIM swapping in Mozambique stems mostly from bribery in the banking space & other financial institutions. Mobile payments are huge in African countries and Mozambique is not left out from this technological advancement.
In Mozambique, mobile fraud is on the rise. Several local banks rely on a one- time password (OTP), with many preferring not to use physical or software tokens as this increases the cost and complexity for customers, especially those on low incomes. The banks, therefore, try to keep it simple, using an SMS as the second factor. This shows that perhaps without them even realizing it, they share the responsibility of securing the customer’s bank accounts with the mobile operators.
The way forward…
Though financial inclusion services are prospering in Africa, the downside, however, opens a world of opportunities to fraudsters. Most SIM swap frauds operate in the same way. There are syndicates that identify and collude with employees from the banks and mobile operators. The bank employee is responsible for providing information about an account balance and detailed information about the victim. Armed with this material, the fraudsters conduct a phishing attack to gain access to the victims online banking account and its verification codes.
One question garnering in our heads is “How then do we reduce SIM registration crimes?”. Some operators have implemented additional security mechanisms that require any user to authenticate through fingerprint identification. A proposition is for telcos to invest in emerging technology solutions that have the capacity to reduce SIM swapping risks by enforcing identity verification of subscribers using biometrics; like facial recognition or fingerprints; even flagging off duplicates in the database.
Are you, or your organization passionate about data — collecting it? collating it? verifying it? analyzing it? then you are the kind of people we write for. Follow our publication, and you will gain knowledge on everything data, from the process of easy capture to the end goal of making data-driven decisions. Find out about our company SEAMFIX ,and how we solve big organizational issues with cutting-edge solutions HERE.
Spread the love
Get more stuff like this in your inbox
Subscribe to Seamfix’ newsletter to receive the latest news on our
products and services.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.