That tiny chip buried deep in smartphones, which requires a pin-like device to remove, might seem securely locked away. But the lack of physical access to SIM cards doesn’t make them immune to fraud. SIM fraud is real–and for such a small chip it can have a big impact.
So what is it exactly? SIM fraud is a way by which attackers use social engineering to gain access to a target’s mobile device, by posing as the victim to their mobile operator. They will provide the victim’s personal information which they will have stolen through social media or phishing, for example, and will use it to dupe the mobile operator into issuing a new SIM card to the fraudster. That gives them access to all the sensitive information a SIM card holds.
By fooling the representative at the mobile network into activating a different SIM, the victim’s calls, texts and passwords will become accessible to the hacker. This kind of fraud can be catastrophic for privacy reasons, but also for personal and business accounts–especially if the compromised SIM card is used to access corporate data.
Most organizations will use SMS for a security authentication scheme called two-factor authentication, or 2FA. Once a fraudster has access to the victim’s SIM, they also have access to his or her 2FA code. The reason why SIM card fraud is so appealing to criminals is that most banks send a 2FA code via SMS to log into an account or reset a password.
With a staggering 20 million people in Britain accessing banking via their smartphones last year alone, this is a lucrative market for fraudsters. With SIM card fraud, hackers can request and receive the 2FA code, access your bank, and drain it.
Whilst staying ahead of criminals like these isn’t simple, measures can be taken to prevent the likelihood of this kind of fraud occurring. The first step is being extra careful in where and how you share personal details. Public social media accounts can provide enough information for fraud. It’s important to keep profiles private from strangers, and ensure the information you share is not directly linked to passwords or authentications that you use elsewhere.
Yet as social engineering grows in sophistication, and locking down social media does not do enough, there are other means of protection. For instance: moving away from using SMS for 2FA codes. Using authenticator apps like Google Authenticator, or any number of other apps that provide a similar service means that whether or not a fraudster has your SIM, they are unable to access any of your accounts.
In addition, SMS should no longer be a primary method of communication. The data is not encrypted and can be snooped on easily. Switching to messaging apps such as iMessage, WhatsApp, Signal and the like are best for maintaining privacy. Users should also occasionally check with their mobile operator to see if any SIM cards have been issued on the account that cannot be accounted for by the account owner. If one is discovered the user should investigate further and get that SIM card canceled.
As SIM card fraud continues to be a go-to attack vector for hackers, it’s critical for people to understand the implications of SIM card fraud and to take action in order to avoid this from occurring.
Andrew Blaich is a security researcher at Lookout