P RE D I C T I V E I NTELLIGEN CE
techniques to convince the telephone
company to port the victim’s phone
number to the fraudster’s SIM, for
example, by impersonating the victim
and claiming they have lost their phone.
They then ask for the number to be
activated on a new SIM card.
After that the victim’s phone loses its
connection to the network and the
fraudster receives all the SMSs and
voice calls intended for the victim. This
allows the fraudster to intercept any
one-time passwords sent via SMS or
telephone calls made to the victim; all
the services that rely on an SMS or
telephone call authentication can then
be used.
We have found that some of the
processes used by mobile operators
are weak and leave customers open
to SIM swap attacks. For example, in
some markets in order to validate your
identity the operator may ask for some
basic information such as full name, date
of birth, the amount of the last top-up
voucher, the last five numbers called, etc.
Fraudsters can find some of this
information on social media or by using
apps such as TrueCaller to get the caller
name based on the number. With a bit
of social engineering they also try to
guess the voucher amount based on
what’s more popular in the local market.
And what about the last five calls? One
technique used by the fraudsters is to
plant a few ‘missed calls’ or to send an
SMS to the victim’s number as bait so
that they call back.
Sometimes the target is the carrier and
not the customer. This happens when a
carrier’s employees working in branches
in small cities are sometimes unable
to identify a fraudulent or adulterated
document, especially branches located
in kiosks or shopping malls, allowing a
fraudster to activate a new SIM card.
Another big problem is insiders, with
some cybercriminals recruiting corrupt
employees, paying them US$10 to
US$15 per SIM card activated. The
worst attacks occur when a fraudster
sends a phishing email that aims to steal
a carrier’s system credentials.
34
Ironically, most of these systems
don’t use two-factor authentication.
Sometimes the goal of such emails
is to install malware on the carrier’s
network – all a fraudster needs is just
one credential, even from a small branch
from a small city, to give them access to
the carrier’s system.
The interest in such attacks is so great
among cybercriminals that some of them
decided to sell it as a service to others.
Normally, a criminal can conduct an
attack in two or three hours without much
effort, because they already have access
to the carrier’s system or an insider.
How not to be the next victim
• Voice and SMS must be avoided
as authenticity mechanisms. When
possible, we recommend users avoid
two-factor authentication via SMS,
opting instead for other ways, such
as generating an OTP in a mobile
app (like Google Authenticator) or
using a physical token. Unfortunately,
some online services don’t offer an
alternative; in that case, the user
needs to be aware of the risks.
• The new era of biometrics. Some
operators have implemented
additional security mechanisms
that require the user to authenticate
through voice biometrics using a
passphrase such as ‘my voice is my
password’ – the technology works
reasonably well, even detecting if the
voice is a recording, or if the user
has flu. However, the major stumbling
block that we observed is the very
low enrolment base. Besides, it’s
considered an expensive solution,
especially for emerging markets, and
requires some additional effort to
integrate with backend systems.
• Automated SMS: ‘Your number
will be deactivated from this
SIM card.’ When a SIM change is
requested, operators can implement
an automated message that’s sent
to the number alerting the owner
that there’s been a SIM change
request and if it’s not authorised, the
subscriber must contact the fraud
hotline. This will not prevent the
hijacking itself, it will instead alert the
subscriber so that they can respond
faster in the case of malicious
activity. The main drawback is that
the subscriber may be outside the
coverage area. Some carriers have
implemented an additional layer of
confirmation for any case of SIM
activation, offering the option of
configuring a password in their
systems. This password will be
required for any changes associated
with your number, such as big
changes in your monthly bill or even
when you need a new SIM card.
Talk to your carrier to check if they
Issue 14
|
www.intelligentciso.com