For years, security advocates have urged the use of two-factor authentication. The premise was simple: since passwords can be stolen, you need an additional level of security. Usually, that meant sending a PIN to a user’s smartphone by SMS.
What happens when criminals can intercept that PIN?
SIM swapping attacks: an emerging threat ON THE DARk WEB
It can be done through a practice called SIM swapping, in which fraudsters pay or trick telecommunications employees to port the phone number from a victim’s phone to the criminal’s SIM card. Once in possession of the victim’s number, the fraudster can essentially take over any account that can be accessed through a call or SMS.
We recently researched SIM swapping on the dark web. We discovered vibrant exchanges of services and access to insiders capable of performing critical steps, tutorials for aspiring fraudsters, and even frank discussions among cryptocurrency investors—the most impacted victims of these schemes—about how they can defend themselves.
Dark web chatter surrounding SIM swapping first appeared in significant quantity in 2015. Subsequently, it has risen considerably; we can identify four distinct periods of activity (when measuring in terms of the average number of monthly posts). Since the first period—January to October 2015—the number of average monthly mentions has ballooned by 7.8-fold.
In the most recent period—May to November, 2019—average monthly mentions increased 68% over the previous period (which stretched June, 2018 to May, 2019).
There’s a reason for this uptick. When a certain type of cybercrime gains media attention, chatter surrounding it rises on the dark web. A lot of this includes general discussions about the news items, but a major portion constitutes criminals seeking to learn how to cash in through exchanging knowledge and services.
Indeed, SIM swapping has recently received significant attention, as it was used against several high-profile targets. In August, the SIM swapping technique was apparently used to hack into the Twitter account of none other than Twitter founder Jack Dorsey. Furthermore, several cryptocurrency accounts were drained of millions of dollars in bitcoin, including that of a well-known investor, who lost $24 million after a criminal gang was able to convince a retail store worker to port. This occurred after the victim began working with his carriers specifically to prevent this because he’d been a victim of smaller SIM swapping scam before, and the victim is now suing the carriers for negligence.
Whereas most internet-based frauds can be perpetrated from abroad, by actors in places like Russia or China, SIM swapping is more local. An attacker must understand the carriers’ rules about porting numbers, speak to the carrier, and connect the new SIM to the network. They must also perform reconnaissance—choosing a specific victim whose number is especially valuable and gathering details about their identity. And they must be wary of local law enforcement. The many country-specific and carrier-specific posts on the dark web, ranging from Italy to Argentina to Albania, highlight the local flavor in each country.
What are fraudsters methods of operation for SIM swapping attacks?
Getting through to the carriers is key. While some fraudsters use social engineering to convince carriers to port the numbers, some offer to bribe them for up to $70,000. Indeed, there are many posts on the dark web brazenly looking for insiders at major carriers.
Fraudsters also need to identify a target that likely has enough money on hand to justify the initial investment, and they likely need to know something about how the victim’s accounts can be taken over. But not all SIM swapping attacks are used for financial gain. The attack on Dorsey, for example, seemed to be focused on establishing bragging rights. Even then, the profile of the target needs to be significant, given the expense, planning, and risks involved.
So, is SIM swapping a threat for everyone? Theoretically, anyone with a cell phone can fall victim. We shouldn’t assume that it’s only the wealthy that are targeted. There’s evidence that criminals are using SIM swapping to open new smartphone accounts and buy pricey new smartphones. The practice is widespread enough that the Federal Trade Commission has put out an advice sheet for consumers.
For almost everyone, the most likely avenue of attack involves basic social engineering. Consumers should be wary of phishing scams and should be extremely cautious of emails or telephone calls that ask for personal information, since attackers may use it to impersonate them.
For high net-worth individuals, especially those that store assets in easily transferable forms like cryptocurrency, negotiating additional protections with carriers (such as do-not-port orders) seems worthwhile.
Telecommunications carriers, meanwhile, should monitor trends in dark web activity to determine if insiders are offering their services and how techniques are evolving.