Frans Labuschagne, UK and Ireland country manager at mobile app security and authentication provider Entersekt, explains how SIM-swap fraud works and what financial services providers ought to do about it.
For millions of us, the mobile phone or tablet is our primary means of authenticating online transactions, if not initiating the transactions themselves. It is no wonder then that fraud vectors targeting the mobile device have proliferated wildly in recent years.
The growing prevalence of SIM-swap attacks in the United Kingdom were once considered rare – consisting of isolated attacks aimed at a few unlucky high net worth individuals. The technique has since evolved, allowing scammers to perpetrate broader-based attacks. ActionFraud UK, part of the National Fraud Intelligence Bureau, put the public on high alert in a recent warning.
Legal claims against banks are mounting, but complicating things is the difficulty of pinpointing who, if anyone, was negligent in the lead-up to a successful attack means that banks, mobile network operators and consumers continue to argue in the press and social media over liability. These events play out in the public eye, and it damages trust in brands whose greatest asset is precisely that: trust.
The evolution of SIM-swap fraud
SIM-swap attacks also thwart banks’ attempts to coax customers into using digital banking channels instead of visiting relatively more expensive branches. Digital banking fraud is not new of course, and many consumers remain ambivalent about the safety of banking on their personal computers and mobile phones.
Ironically perhaps, SIM-swap fraud emerged as fraudsters adapted to banks’ efforts at protecting these channels. They worked to overcome the added security layer provided by SMS-based authentication, which commonly takes the form of a one-time password (OTP) sent to the phone and then typed into the primary banking channel, usually a browser.
Before banks started using SMS OTPs, scammers conducted man-in-the-middle attacks to gain access to consumers’ usernames and passwords. With these credentials, they gained the ability to fraudulently transfer funds out of their victim’s accounts. OTP-based authentication meant that they had to add a second phase to their attacks.
At first, they focused on intercepting the OTP through a counterfeit banking site or by using mobile trojans like Zeus, ZitMo, Citadel and Perkal, which leverage open access to SMS on mobile phones specifically to intercept OTPs. These remain the most popular approaches to stealing the OTP, but SIM swaps, where possible, make for a neat short cut.
In the diagram below, steps 1 to 5 describe a classic man-in-the-middle attack using a fake banking portal. Two other lines of attack appear in grey: OTP-stealing mobile malware and the SIM swap.
But how does a SIM-swap attack work, exactly? There are two main ways to swap a SIM card (or Subscriber Identification Module) fraudulently.
In a SIM clone, an attacker will use a card reader with a software toolkit to copy the SIM card onto a blank one. While this method is inexpensive and can take as little as 10 minutes, the fraudster will require access to the original SIM card and act fast. Once the fraudster has a copy of the SIM, using it is likely to disconnect the legitimate subscriber from the mobile network, giving the attacker free reign to authenticate fraudulent financial transactions on their own phone, among other things.
SIM splitting does not require access to a physical device or SIM card. Organized crime groups trade digital files packed with personal data and account details sourced in mass data breaches and malware attacks. The fraudster will buy this data and use it to open a parallel account in their chosen victim’s name. Other details in the file or gained separately through social engineering and searches online provide them with enough information to answer security questions at the relevant mobile network operator and register a new SIM. The victim’s SIM is deregistered in turn, and the answers to security questions changed in order to frustrate the victim’s attempts at rectifying the situation.
Taking an holistic approach
To counter the rise of illegal SIM-swaps effectively, banks and other organizations in the identity ecosystem must take an holistic view of their security. Such an approach includes mitigating against human error as well as addressing technical weaknesses.
One of the weakest links in the security chain as it pertains to SIM-swap fraud is the mobile network operator contact centre. It is there, after all, that most SIM-swaps are requested and authorized. Fraudsters dial the call centre armed with details of their prospective victims, either harvested in previous data breaches or gathered online; agents can be manipulated through social engineering into breaking with procedure or recruited into criminal organizations; interactive voice recognition systems may not always raise alerts when callers make repeated attempts at cracking challenge questions; and advances in voice cloning are seriously impacting the efficacy of voice fingerprinting security software.
Aside from instituting preventative procedures like delaying SIM activations for a set number of hours, requiring that the customer approve the request over a separate channel, and only carrying them out during work hours, call centres can also use behavioural analytics to flag anomalies in customer’s typical cross-channel behavior.
Creating an end-to-end security zone
The truth is that any digital service that relies on the mobile phone’s Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) to authenticate the subscriber is to some degree vulnerable to SIM-swap fraud. This is because identifying the subscriber’s device depends on the process employed by the mobile network operator to pair the MSISDN to a specific SIM card. This process, over which banks and other providers of sensitive digital functionality have no control, is open to exploitation by cybercriminals.
If financial services companies, insurance companies and healthcare providers are going to use the mobile phone for user authentication – and, indeed, it is fast becoming the preferred means of doing so worldwide – they must urgently reassess any SIM-based authentication solutions they have in place.
Consider implementing strong public-key cryptography on the mobile device, independently of the SIM card and native device security, and couple it with asymmetric encryption. This approach allows each mobile phone or tablet to be uniquely identified, transforming them into second factors of authentication. They can now be used with complete confidence to confirm a user’s identity when logging into an online banking portal or transacting from a mobile application. All two-way communication between device and service provider is encrypted from end to end.
It’s a single end-to-end security zone over which users can authenticate and digitally sign approvals of all sensitive transactions, whether digital banking, card-not-present purchases or call center interactions.
Staying ahead of cybercriminals is a race. As fast as vendors and service providers come up with ways to prevent one line of attack, another will pop up. The reputational, financial and legal risks posed by SIM-swap fraud demand that security professionals aggressively apply themselves to lowering their exposure to these attacks while preparing for future threats.