This is NOT Fraud Advice--Sim Swaps

Hope everyone had a wonderful Labor Day Weekend. Do you know who does not take holiday weekends? Bad actors. Well, it is possible they do in the proverbial sense--individually even fraudsters take vacation, but as a whole I am sure many still spend the day pursuing this lucrative hustle.

I had one fantasy football draft last night and another tonight with NYC fintechs, so we will get right into it. We are chatting about Sim Swap scams.

Technically, a sim swap isn't a scam in and of itself, but instead, a piece of a larger scam. But it is a huge piece.

You likely remember when 2FA and SSO links were all the rage a few years back. 2FA stands for 2-factor authentication, and SSO for single sign-on. They were evolutions in the authentication space to fix the problems with passwords. The main problem being that they are easy to steal.

2FA and SSO were geared towards protecting people from Account Takeovers. They worked well for a bit, but fraudsters evolved. Fraudsters recognized that if they could "steal" someone's phone number, they would get access to all of their accounts: their socials, emails, and bank accounts. The sim swap was born.

As you probably recognize by now, stealing a phone number could be the first step for a wide variety of scams. You can use SMS, email, and socials to phish their contacts into sending money. You can use the phone number to onboard onto any fintech platform using reverse lookup KYC, where they take your phone number and then have you attest to the rest of your PII. Or, you can drain their bank account.

Let's explain how to do a sim swap. BTW this is NOT fraud advice to help you all make some extra cash to recoup what you spent at Surf Lodge LDW.

The goal of a sim swap is to get the cellphone carrier to switch someone's phone number to be associated with a sim card that you control. First things first, you need a sim card.

People get cellphone carriers to transfer a phone number in a couple of ways. The simplest, and likely most common way is to pay off a cellphone carrier employee. The main legitimate reason to transfer a phone number is when changing cellphone carriers. You need to find a phone number using Verizon, pay someone at AT&T to contact Verizon, and have them transfer the phone number to your AT&T sim card.

AT&T's average customer service rep at AT&T makes $18.00 an hour. So, offering them $1,000 is sufficient ROI for them and you, assuming the person has more than $1,000 in their bank account. Shoot them some cryptocurrency; you should be good with "your" new phone number within a week or so.

The other way to do this is to impersonate your victim and say you have lost your phone and must transfer the number to your new device. This has a bit more complexity, but as we have seen in previous editions of Not Fraud Advice, it is still pretty easy.

If I were to go this route, I would do it in person, as you will likely get less scrutiny if you walk into a Verizon store with your ID than if you call up Verizon and they can't see you.

I would print a fake ID with our Amazon ID maker we bought in week 1 for $1,200 and walk on in. With a smile and some sweet talk, you can control "your" phone number.

The rise of sim swaps has negatively impacted the security of 2FA and SSO. The next generation of authentication likely belongs to Passkeys. Passkeys are based on new technology standards (WebAuthn/FIDO2) to use strong public-key cryptography to?authenticate people on the internet. We believe they will replace passwords entirely, and they are a core building block for the entire Footprint ecosystem.

The early data around passkeys has been strong. Google implemented them internally in 2017 and virtually?stopped all phishing attacks.

We would love to chat if you are interested in learning how Footprint puts passkeys to work in our KYC and auth products.