SIM swap scam

Last updated

A SIM swap scam (also known as port-out scam, SIM splitting, [1] simjacking, and SIM swapping) [2] is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.

Contents

Method

The fraud exploits a mobile phone service provider's ability to seamlessly port a phone number to a device containing a different subscriber identity module (SIM). This mobile number portability feature is normally used when a phone is lost or stolen, or a customer is switching service to a new phone.

The scam begins with a fraudster gathering personal details about the victim, either by use of phishing emails, by buying them from organised criminals, [3] or by directly socially engineering the victim. [4]

Armed with these details, the fraudster contacts the victim's mobile telephone provider.  The fraudster uses social engineering techniques to convince the telephone company to port the victim's phone number to the fraudster's SIM. This is done, for example, by impersonating the victim using personal details to appear authentic and claiming that they have lost their phone. In some countries, notably India and Nigeria, the fraudster will have to convince the victim to approve the SIM swap by pressing 1. [5] [6] [4]

In many cases, SIM numbers are changed directly by telecom company employees bribed by criminals. [7]

Once this happens, the victim's phone will lose connection to the network, and the fraudster will receive all the SMS and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via text or telephone calls sent to the victim and thus allows them to circumvent many two-factor authentication methods of accounts (be it their bank accounts, social media accounts, etc.) that rely on text messages or telephone calls. Since so many services allow password resets with only access to a recovery phone number, the scam allows criminals to gain access to almost any account tied to the hijacked number. This may allow them to directly transfer funds from a bank account, extort the rightful owner, or sell accounts on the black market for identity theft.

Incidents

A number of high-profile hacks have occurred utilizing SIM swapping, including some on the social media sites Instagram and Twitter. In 2019, former Twitter CEO Jack Dorsey's Twitter account was hacked via this method. [8] [9]

In May 2020, a lawsuit was filed against an 18 year old Irvington High School senior in Irvington, New York, Ellis Pinsky, who was accused with 20 co-conspirators of swindling digital currency investor Michael Terpin the founder and chief executive officer of Transform Group of $23.8 million in 2018, when the accused was 15 years old, through the use of data stolen from smartphones by SIM swaps. The lawsuit was filed in federal court in White Plains, New York and asked for triple damages. [10] [11]

In early 2022, the US FBI reported a sharp increase in money losses to consumers in 2021, and continuing into 2022, from this type of fraud. [12] [13] The losses in 2021 alone were five times larger than the three prior years summed: “The FBI says that victims lost $68 million to this SIM-card based scam in 2021, compared to just $12 million in the three-year period between 2018 and 2020.” [12] The FBI received 1,600 complaints about SIM-swapping in 2021, a sharp increase from the three previous years. The swaps happen quickly once the scammers have sufficient information to persuade a mobile phone carrier to assign a stolen phone number to their phone; the thefts of money happen when the thieves then receive the two-factor codes sent to the proper owner of the phone number. [13]

In South Korea, alleged incidents of SIM swapping attacks have been documented since the beginning of 2022. The common pattern includes victims facing abrupt disruptions in their mobile services, coupled with a notification suggesting a change. As a result, affected individuals discover that their bank and cryptocurrency accounts have been compromised. [14]

Related Research Articles

<span class="mw-page-title-main">Advance-fee scam</span> Type of confidence trick fraud

An advance-fee scam is a form of fraud and is one of the most common types of confidence tricks. The scam typically involves promising the victim a significant share of a large sum of money, in return for a small up-front payment, which the fraudster claims will be used to obtain the large sum. If a victim makes the payment, the fraudster either invents a series of further fees for the victim to pay or simply disappears.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

Phone fraud, or more generally communications fraud, is the use of telecommunications products or services with the intention of illegally acquiring money from, or failing to pay, a telecommunication company or its customers.

Email fraud is intentional deception for either personal gain or to damage another individual using email as the vehicle. Almost as soon as email became widely used, it began to be used as a means to defraud people, just as telephony and paper mail were used by previous generations.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

Affinity fraud is a form of investment fraud in which the fraudster preys upon members of identifiable groups, such as religious or ethnic communities, language minorities, the elderly, or professional groups. The fraudsters who promote affinity scams frequently are – or successfully pretend to be – members of the group. They often enlist respected community or religious leaders from within the group to spread the word about the scheme, by convincing those people that a fraudulent investment is legitimate and worthwhile. Many times, those leaders become unwitting victims of the fraudster's ruse.

Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.

Telemarketing fraud is fraudulent selling conducted over the telephone. The term is also used for telephone fraud not involving selling.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">Mobile tower fraud</span>

"Mobile tower fraud" may be defined as a type of mass marketing fraud with advance fee fraud characteristics, where the central scheme is the installation of a mobile tower in the victim's property. The victims are lured by the promise of huge rental income. Mobile tower fraudsters are targeting individuals of all ages and demographics. With the telecommunication infrastructure booming in India to meet the socioeconomic requirements of the country, mass marketing fraudsters have seen a criminal opportunity in it.

Mass-marketing fraud is a scheme that uses mass-communication media – including telephones, the Internet, mass mailings, television, radio, and personal contact – to contact, solicit, and obtain money, funds, or other items of value from multiple victims in one or more jurisdictions. The frauds where victims part with their money by promising cash, prizes, and services and high returns on investment are part of mass market fraud.

An IRS impersonation scam is a class of telecommunications fraud and scam which targets American taxpayers by masquerading as Internal Revenue Service (IRS) collection officers. The scammers operate by placing disturbing official-sounding calls to unsuspecting citizens, threatening them with arrest and frozen assets if thousands of dollars are not paid immediately, usually via gift cards or money orders. According to the IRS, over 1,029,601 Americans have received threatening calls, and $29,100,604 has been reported lost to these call scams as of March 2016. The problem has been assigned to the Treasury Inspector General for Tax Administration. Studies highlight that most victims of these scams are aged 20-29 years old and women are more affected than men. One way to decrease the risks of an individual falling victim to IRS impersonation scams is through awareness programs.

AnyDesk is a remote desktop application distributed by AnyDesk Software GmbH. The proprietary software program provides platform independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality. AnyDesk is often used in technical support scams and other remote access scams.

Cryptocurrency and crime describe notable examples of cybercrime related to theft of cryptocurrencies and some methods or security vulnerabilities commonly exploited. Cryptojacking is a form of cybercrime specific to cryptocurrencies that have been used on websites to hijack a victim's resources and use them for hashing and mining cryptocurrency.

<span class="mw-page-title-main">2020 Twitter account hijacking</span> July 2020 compromise of multiple Twitter accounts to post scam tweets

On July 15, 2020, between 20:00 and 22:00 UTC, 130 high-profile Twitter accounts were reportedly compromised by outside parties to promote a bitcoin scam. Twitter and other media sources confirmed that the perpetrators had gained access to Twitter's administrative tools so that they could alter the accounts themselves and post the tweets directly. They appeared to have used social engineering to gain access to the tools via Twitter employees. Three individuals were arrested by authorities on July 31, 2020, and charged with wire fraud, money laundering, identity theft, and unauthorized computer access related to the scam.

Ramon Olorunwa Abbas, commonly known as Hushpuppi, Hush, or Ray Hushpuppi is a Nigerian former Instagram influencer and convicted felon. He was sentenced in the United States to 11 years for conspiracy to launder money obtained from business email compromise frauds and other scams, including schemes that defrauded a US law firm out of approximately $40 million, illegally transferred $14.7 million from a foreign financial institution, and targeted to steal $124 million from an English Premier League club.

<span class="mw-page-title-main">Graham Ivan Clark</span> American hacker

Graham Ivan Clark is an American computer hacker, cybercriminal and a convicted felon regarded as the mastermind behind the 2020 Twitter account hijacking.

References

  1. admin (2014-05-09). "Alert – how you can be scammed by a method called SIM Splitting". Action Fraud. Retrieved 2018-08-22.
  2. "NPR Search : NPR". www.npr.org.
  3. Tims, Anna (2015-09-26). "'Sim swap' gives fraudsters access-all-areas via your mobile phone". the Guardian. Retrieved 2018-08-22.
  4. 1 2 "Many Bengalureans lose cash to sim card swap fraud - Times of India". The Times of India. Retrieved 2018-08-22.
  5. "Experts Finger Insiders in Telcos for Rising SIM Swap Fraud – Nigerian CommunicationWeek". nigeriacommunicationsweek.com.ng. 14 July 2018. Retrieved 2018-08-22.
  6. "You will be requested to press 1 or authenticate this Swap | Gadgets Now". Gadget Now. Retrieved 2018-08-22.
  7. Franceschi-Bicchierai, Lorenzo (2019-05-13). "AT&T Contractors and a Verizon Employee Charged With Helping SIM Swapping Criminal Ring". Vice News . Retrieved 2020-01-23. Among the alleged criminals were also two former AT&T contract employees and one former Verizon employee, who helped the alleged criminals by providing private customer information in exchange for bribes, according to court documents.
  8. Barrett, Brian. "How to Protect Your Phone Against a SIM Swap Attack". Wired via www.wired.com.
  9. Brandom, Russell (August 31, 2019). "The frighteningly simple technique that hijacked Jack Dorsey's Twitter account". The Verge.
  10. Stempel, Jonathan (7 May 2020). "U.S. cryptocurrency investor sues suburban NYC teen for $71.4 million over alleged swindle". Reuters. Retrieved 4 January 2021.
  11. Nadeau, Barbie Latza (May 8, 2020) "15-Year-Old From Suburbs Led ‘Evil Computer Geniuses’ in $24M Cryptocurrency Heist: Lawsuit" Daily Beast
  12. 1 2 Winters, Mike (February 19, 2022). "This SIM card scam once fooled Jack Dorsey—here's how to avoid it". CNBC. Retrieved February 19, 2022.
  13. 1 2 Otis, Ginger Adams (February 18, 2022). "SIM-Swapping Attacks, Many Aimed at Crypto Accounts, Are on the Rise". The Wall Street Journal. Retrieved February 19, 2022.
  14. Kim, Myounghoon; Suh, Joon; Kwon, Hunyeong (August 2022). "A Study of the Emerging Trends in SIM Swapping Crime and Effective Countermeasures". 2022 IEEE/ACIS 7th International Conference on Big Data, Cloud Computing, and Data Science (BCD). pp. 240–245. doi:10.1109/BCD54882.2022.9900510. ISBN   978-1-6654-6582-3. S2CID   252625262.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.