If you’ve read about SIM swapping, you probably thought it was funny for someone to steal someone else’s identity. It might be funny at first, but once you’re a victim of it, your laughing ends abruptly and quickly turns into crying.
“It was a slightly chilled night in Lagos, Nigeria. I had recently moved into my own apartment and was deeply asleep in my bed when I was woken up by a call from an unknown number. This was odd because the number I had on the caller ID was my own. When I answered the call, I wasn’t too surprised to hear one of the generic voicemails that play when you dial an out-of-service number. It wasn’t until much later that day, when my other family members began receiving calls from strange numbers enquiring about my whereabouts and requesting sums of money sent into an account to get the information.”
This is a story from a person who only wanted to be identified as Victoria. In the end, some of Victoria’s friends and family members were cheated out of huge sums of money.
The prevalence of SIM swapping fraud has posed to be one of the biggest threats to identity security and privacy. The concept is relatively simple to understand, but the potential damage that can be done to the individual is scary, to say the least. SIM swap fraud is a type of account takeover fraud that utilizes a weakness in SIM registration processes.
Recently, a common fraud has been to exploit a mobile phone operator’s ability to seamlessly port (transfer) a telephone number to a new SIM. Cybercriminals use this attack to steal credentials and capture OTPs sent via SMS (text message) as well as cause financial damage to victims
Uncompliant SIM swapping can pose a huge identity theft. Besides stealing the victim’s phone, an attacker can even go as far as presenting fake documents to a communications provider’s department in order to impersonate the victim. The authentic SIM card in the victim’s phone will then disconnect, and all future SMS communications and phone calls will be re-directed to the attacker’s phone.
The instant messenger Whatsapp has become a valuable tool in the hands of criminals. After a SIM swap, the first thing the criminal does is to load Whatsapp and speak with all the victim’s contacts. Then they begin messaging the contacts, citing an emergency and asking for money. In some cases, they feign a kidnapping situation, asking for an urgent payment and some of the contacts are persuaded enough to pay the lump sum being requested.
In some cases, fraudsters have used SIM swaps to hijack the accounts of company executives and request payments from their financial departments. It’s a bit like a BEC (Business E-mail Compromise), but using Whatsapp instead of email. Some of the attacks claimed to have been orchestrated by company executives, with requests for funds supposedly coming directly from staff accounts.
In the past few years, there have been several instances of SIM swapping in banks and other financial institutions in countries where bribery is common.
Brazil’s fintech boom was heralded by the 2013 launch of Nubank, a company that offered bank accounts and credit cards with no charges. Most fin-tech startups relied on two-factor authentication via SMS. Fraudsters targeted these companies with SIM swaps that allow them to empty user bank accounts.
In a story reported by Gizmodo Brazil, a Brazilian fin-tech firm suffered an attack resulting in the loss of thousands of dollars. The criminals performed a SIM swap, activating the victim’s number on another SIM card.
Then, on a smartphone with the ‘pag! app’ installed, the criminals used the app’s password recovery function and a code was sent via SMS, allowing the criminals to gain total control of the user’s account in the app. Once access was obtained, the criminals performed several illegal payments using the credit card tied to the account. Some victims reported losses of US$3,300 in fraudulent transactions.
However, SIM swapping has been an increasing menace in Africa for a few years now.
Though financial inclusion is prospering in Mozambique, a downside to this is that it opens doors for fraudsters. Syndicates target bank employees and gain access to personal information and verification codes. A phishing attack follows, which can allow fraudsters access to the customer’s online banking account.
Some banks use one-time passwords (OTPs)—and they often prefer not to use physical or software tokens. The banks keep the process simple by using an SMS as the second factor; they share the responsibility of securing their customer’s accounts with their mobile operators.
However, there were syndicates that identify bank employees and collude with them to obtain money from the victim. The bank employee will provide the fraudster with detailed information about the victim’s bank account and its verification codes. Armed with this material, the fraudsters conduct a SIM swap to gain access to the victim’s online banking account and take out money from it.
At a time when the world is increasingly becoming digital, hackers’ activities increase in sophistication as well. With smartphones and internet services reaching the masses, likely no one on the planet is not either a victim or does not know someone who has been robbed.
This can be mitigated by identifying key areas of risk and using emerging technologies to address them. Some telecommunication operators have introduced security mechanisms that require all users to undergo air-tight identification and verification during SIM re-registration. This ensures that only registered subscribers have access to their accounts, which reduces the risk of identity theft.
As it currently stands, BioSmart is one such emerging technology that aims to provide invariably strong security during SIM Registration. As a compliance-driven SIM registration solution, BioSmart offers everything mobile network operators need to address the issues of SIM-cloning and identity theft, proving an effective deterrent against crime, as well as a useful tool in helping to track down perpetrators who have stolen SIM cards.