PREDI C TI VE I NTEL L I GE NC E
The
enemy in
your pocket:
Large-scale SIM swap fraud
With mobile phone payments now hugely popular,
cybercriminals have been targeting the market in
a wave of attacks. With SIM swap fraud nowadays
conducted on a large scale, Fabio Assolini, Senior Security
Researcher, Global Research and Analysis Team, Kaspersky
Lab, tells Intelligent CISO how cybercriminals complete the
fraud and the best ways to avoid being the next victim.
M
obile payment is
huge worldwide.
Mobile phone-
based money
transfers allow
users to access
financing and
micro-financing services, to deposit,
withdraw and pay for goods and services
easily with a mobile device. In some
cases, almost half the value of a country’s
GDP goes through mobile phones.
But nowadays these mobile payments
are suffering a wave of attacks and
people are losing their money – all
powered by SIM swap fraud. Such
attacks are nowadays conducted on a
large scale.
SIM swap fraud is a type of account
takeover fraud that generally targets a
weakness in two-factor authentication
www.intelligentciso.com
|
Issue 14
and two-step verification, where the
second factor or step is an SMS or a
call placed to a mobile telephone. The
fraud centres around exploiting a mobile
phone operator’s ability to seamlessly
port a telephone number to a new SIM.
This feature is normally used when a
customer has lost or had their phone
stolen. Attacks like these are now
widespread, with cybercriminals using
them not only to steal credentials and
capture OTPs (one-time passwords)
sent via SMS but also to cause financial
damage to victims. If someone steals
your phone number, you’ll face a lot of
problems, especially because most of
our modern two-factor authentication
systems are based on SMSs that can be
intercepted using this technique.
Criminals can hijack your accounts one
by one by having a password reset sent
to your phone. They can trick automated
systems – like your bank – into thinking
they’re you when they call customer
service. And worse, they can use your
hijacked number to break into your work
email and documents. And these attacks
are possible because our financial life
revolves around mobile apps that we use
to send money, pay bills, etc.
How the cybercriminals do it
The scam begins with a fraudster
gathering details about the victim
by using phishing emails, by buying
information from organised crime groups,
via social engineering or by obtaining the
information following data leaks.
Once the fraudster has obtained the
necessary details they will then contact
the victim’s mobile telephone provider.
The fraudster uses social engineering
33