Experts say that swapping SIM cards is on the rise as hackers try to gain access to a phone user’s finances, unbeknownst to those users.
SIM (subscriber identity module or subscriber identification module) cards are the small smart cards that contain information identifying a specific phone network that allows the user to use most functions on their device. Hackers are contacting a target’s cellphone carrier, answering simple security questions and swapping the phone number associated to a SIM card they control.
“Then the perpetrator has control of that phone number for however long it takes the victim to realize their phone number has been hijacked,” explained Scott Greene, founder of Evidence Solutions Inc., a digital forensics firm.
The rise in SIM swapping is in response to many organizations requiring multifactor authentication to access accounts, experts said. For instance, along with requiring a password, a bank may also require sending a temporary passcode or hyperlink to a phone number or email address to verify the user.
“More companies have been adding multifactor; now the attackers have to find a way to bypass that,” said Joshua Crumbaugh, CEO of PeopleSec. “The path of least resistance is SIM swapping and getting their hands on that code and getting into your account.”
As companies attempt to strengthen their cybersecurity, hackers’ methods will evolve, Crumbaugh added. Likewise, prosecutors across the nation have responded and announced the arrest of alleged SIM hackers.
In San Francisco, the U.S. Department of Justice indicted two men accused of SIM swapping executives of cryptocurrency-related companies and cryptocurrency investors. In January, Santa Clara County, California, law enforcement were the first in the U.S. to convict a SIM swapper after a Boston-area man pleaded no contest to using SIM swapping to allegedly steal $1 million worth of bitcoin, according to media reports.
The Manhattan District Attorney Office announced on Feb. 1 the first prosecution of SIM swapping in New York state when it indicted a 20-year-old Ohio man for allegedly stealing roughly $10,000 in cryptocurrency from three victims. Manhattan District Attorney Cyrus Vance Jr. noted in the press release announcing the indictment, “We’re also asking wireless carriers to wake up to the new reality that by quickly porting [transferring] SIMs—in order to ease new activations and provide speedy customer service—you are exposing unwitting, law-abiding customers to massive identify theft and fraud.”
Indeed, the multifactor authentication process required by most companies usually only entails answering personal questions that may be easily gleaned from social media or requires access to a phone number.
“That’s why they are targeting telecommunication providers,” PeopleSec co-founder Crumbaugh said. “They will allow you access to the account, with minimal information about the person.”
SIM swapping targeting cryptocurrency has made the news recently, but those contacted by Legaltech News said anyone with access to finances or sensitive data can be targets, including those in high-profile occupations such as lawyers.
“Two trends I’ve seen here are people who are more financially affluent, either perceived or actual, are heavily targeted,” Crumbaugh noted. “They are already a target in that regard and on top of that, it tends to be people active on social media.”
As organizations find new ways to protect users’ data and hackers find loopholes for those safeguards, the cybersecurity professionals suggested using voice over IP (VoIP) or Google Voice for accounts so those accounts aren’t associated with a SIM.