SIM swapping fraud, the lawless duplication of a cell phone card to impersonate a person’s identity, is growing. As a result, operators and banks are already reinforcing their cybersecurity structures to contain the problem
Can you imagine getting out of bed one fine morning, opening your online banking app, and discovering that your bank account balance has blown up? You may not know it at the time, but you may have fallen victim to SIM swapping. Unfortunately, one of the many digital frauds that prevail in this age is frauds that cyber intelligence services work every day to contain.
Furthermore, SIM swapping is a simple fraud. It consists, in short, in illegitimately obtaining a duplicate of a person’s cell phone card to impersonate his identity. With what aim? To steal their money, email information, profiles on social networks… In short, anything of value.
This is the most disturbing question when analyzing the scale of SIM swapping. As with counter-phishing or ransomware, all kinds of actors are behind this phenomenon, from individuals to perfectly hierarchical groups with many technical and financial resources.
The motivation of most of these actors is financial. Hence the focus of this digital fraud has been on bank SIM swapping. Episodes that have triggered legal battles with a certain public importance.
But let’s take it one step at a time. First, let’s break down, by asking a few questions, the dimension and impact of the problem.
1. How is SIM swapping carried out?
The operation of fraud is relatively simple. The most common scenario is as follows: someone pretends to be an operator customer to try to get a duplicate SIM card. The excuse? It has been lost or damaged or needs another format, such as a micro or nano SIM.
Sometimes, they even ask for the number to be ported to another operator. However, that is a less frequent SIM swapping option since the transfer of the line is not immediate, and during those days of delay, some incidents could occur that could ruin the fraud.
In any case, this type of crime is most often committed over the telephone, with a simple phone call. How is this possible? Because the hostile actor will have previously obtained all the user’s personal information by other means to identify himself to the operator’s telephone agent: full name, ID number, number of the telephone whose SIM card needs to be duplicated, etc.
Thus, once the phone card has been obtained, the fraud begins.
2. What are the stages of SIM swapping?
SIM swapping is a phased fraud. And as strange as it may seem, the first step is not the duplication of the card. Instead, the first stage of SIM swapping is victim profiling. Before contacting the respective operator, the cybercriminals have to get hold of all the necessary information related to their victim.
Of course, in most cases, the most interesting will be the victim’s banking credentials. In short, an X-ray of their financial health. But they may also be interested in the victim’s business and social relationships and information, so the malicious actor can focus the attack on their phone book and their conversations via instant messaging, email, or social networks.
With this X-ray under his arm, the hostile actor will activate the second phase of this fraud: obtaining a duplicate SIM card.
The third and final phase of this digital fraud is impersonation. The attacker can use the duplicate SIM and all the information linked to it in a terminal of his own without, in most cases, the victim being aware of the situation.
The fact that our telephony terminals are almost continuously connected to the Internet makes it easy for the action to go unnoticed. It can take hours, even days, before the end user notices that he needs a line. Enough time for cybercriminals to get the victim’s information or money.
3. Why has bank SIM swapping triggered so many alarms?
Mainly for one obvious reason: where there is money, criminals tend to lurk. And bank SIM swapping is a very lucrative digital fraud, given the possibility of taking control of the accounts of thousands of citizens.
How is this possible? Precisely because of an issue familiar to you if you frequently use online banking. To perform any operation on these platforms (transfers, authorizations…), the financial institution sends you an SMS message to authorize each through double authentication.
The sequence is, therefore, logical. If the hostile actor gets hold of my phone, he will be able to authorize as many transactions as the app allows or until the legitimate account holder becomes aware of the fraud.
But SIM access is only one more step in the scam. As previously explained, cybercriminals must also have access to their victim’s online banking credentials in a case like the one described above. How? Well, in a multitude of ways.
Access to critical information
On the one hand, highly hierarchical and structured cybercriminal groups have the technical capabilities to access this critical information by various means: malware in an email, a fraudulent app to steal the data, a phishing attack…
On the other hand, some actors go directly to the Dark Web to get hold of data packets from bank information leaks. The cases of JP Morgan, Home Depot, Sally Beauty, Target, and Korea Credit Bureau are just a few examples that have occurred in recent years.
Regardless of the route chosen, the fact is that SIM swapping fraud has continued to grow in recent months and threatens to do so even more if no action is taken in the coming years. FBI data bear it out.
Last year in the United States, the federal agency received more than 1,611 complaints from victims who saw their money blown away due to the hijacking of their phone lines. However, between 2018 and 2020, the total number of complaints for this kind of fraud barely reached 320.
In other words, bank SIM swapping has become fashionable among the bad guys.
4. What is the role of banks?
At this point, the next question is: What should financial institutions do to contain the phenomenon? The theory is simple: reinforce the security mechanisms of their online banking platforms. However, the practice is somewhat more delicate due to the appearance of a not minor derivative when talking about financial services: accessibility and usability on the end user’s part.
The growth of SIM swapping could fall if stricter authorization protocols for transactions (transfers, contracts, etc.) were activated. But the decision could collide with one of the major issues facing the financial sector worldwide: the risk of exclusion of the elderly citizens and analogical profiles, as well as those who choose not to contract with services that require them to use more stringent access control.
It’s not in vain that we are in the era of simplicity, of making things easy, of plug and play… Of debating between security, freedom, and, why not say it, excessive comfort.
This is an issue of enormous social importance that is already being addressed at the highest levels of government.
SMS as authentication factor
That is why most institutions have opted to use the SMS message as the second authentication factor to validate online banking transactions. The elderly and the more analogical citizens are familiar with this tool, which is why it has become the most recurrent formula.
Banks are also aware that this will likely reinforce each user’s financial information consultation within their online platforms. Currently, most institutions do not have a second authentication factor activated for simple access to digital banking (not for performing transactions), which poses a risk.
Why? Because if they manage to gain access to citizens’ banking credentials (cyberattacks, information leaks…), cybercriminals will be able to categorize victims. That is, those who are more interesting (those who have, for example, more money in their accounts) and those who are not.
In short, the delicate dilemma between security and usability is what cybercriminals are exploiting today to deploy their SIM swapping attacks.
5. Telecom operators role
Just like banks, operators know that they have challenges on the table. The dilemma between functionality and security may trigger this kind of attack.
Everything seems to indicate that if the growth of SIM swapping continues, the request for a duplicate phone card will be subject to other protocols (some double authentication, face-to-face request…). It could be a setback for the customer but would benefit him by introducing higher security standards and containing the risk of being affected by this cyber-scam. We thus return to the original debate, the delicate balance between usability and security.
6. What do the courts think?
In the meantime, the debate is already being waged in many cases before the courts. And the decisions are going in different ways. Operators have been forced to compensate users in some cases partially, but in others, the companies have won their cases.
The basis for these rulings? That the duplicate SIM does not precipitate the scam since, to commit the crime, cybercriminals have to obtain other data (credentials, personal information…) that has little or nothing to do with the due diligence required of operators.
It seems clear that in the future, banks and telecommunications companies will likely strengthen the processes by which end users authenticate themselves to their services, either as a matter of will or as a matter of obligation.
7. Are there any recommendations to contain this fraud?
Brussels has taken seriously the fight against phenomena such as SIM swapping, especially in the financial sector. Over the past few years, it has been activating various regulations that aim to make it more difficult for cybercriminals. For example, directive 2015/2366 of the European Parliament on Payment Services in the Internal Market and the delegated regulation that complements and develops this directive obliges the introduction of a double authentication factor in online banking platforms.
The text of the regulation in this regard is unambiguous:
«Where payment service providers apply strong customer authentication following Article 97(1) of Directive (EU) 2015/2366, authentication shall be based on two or more elements categorized as knowledge, possession, and inherence and shall result in the generation of an authentication code».
«The authentication code – the EU provision continues – shall only be accepted by the payment service provider once when the payer uses it to access his online payment account, to initiate an electronic payment transaction, or to carry out any action through a remote channel that may involve a risk of payment fraud or other abuses».
Workarounds era
To date, most banks have opted for the possession formula (in this case, the phone to which the SMS arrives) to shape this authentication factor. But digital frauds such as SIM swapping have shown that alternative solutions, such as dual authentication applications, may have to be sought.
Entering a code or token generated automatically from an app that can’t be replicated on another phone just by possessing the SIM would allow a new security wall to be erected to curb the unstoppable motivation of cybercriminals, at least for the time being.
Because they, and this is one of the commandments of the cybersecurity world, never rest…