SIM-Swap Fraud and How to Defend Against It

The Australian Communications and Media Authority (ACMA) will be imposing new rules on mobile providers to help fight against SIM-swap fraud. Coming into effect on June 30th, stronger customer identity checks for high-risk transactions such as SIM-swap requests, changes to accounts, or disclosure of personal information will be required.

SIM swap fraud focuses on moving control of a person's phone account from their SIM to another SIM which is controlled by a threat actor.

The technique is very simple and a pretty common strategy used in a number of other non-SIM related attacks:

• The threat actor obtains as much information on the victim as possible. This is to facilitate potential authorisation questions from the telecommunications provider.
• The threat actor contacts the victim's telecommunications provider pretending to be the victim.
• The threat actor requests a SIM swap and at the same time requests to change personal information so the victim can no longer gain access to their account.

To anyone that's worked in cybersecurity, this attack is pretty common outside of the telecommunications space. We use this exact type of attack when running adversary simulations (red teams), phishing, or social engineering engagements when attempting to obtain a password reset for potential targets so we can gain access to internal resources. It's a tried and true practice for threat actors.

A slight variation to this attack is where the threat actor requests a porting authorisation code (PAC) which allows the threat actor to port the victim's number to a completely different telecommunications provider.

The whole idea of SIM-swaps or porting is to allow the threat actor full access to SMS messages on that number. This facilitates the interception of banking authorisations and other multi-factor codes required to take over a user's bank account or other online services.

So how can you defend against these types of attacks?

Limit Exposure of Personal Information

To gain access to your account the threat actor requires information to respond to authorisation questions from your telecommunications provider. Anyone using the Internet and online services should have strong operational security (OPSEC) practices to protect their personal data. It is critical not to overshare on the Internet, especially on social media. It is common practice for threat actors to perform Open Source Intelligence (OSINT) to harvest as much information about potential targets from online sources such as social media, but also information harvested from major breaches which can be highly sensitive information, including passwords.

When setting up security questions, it has always been best practice to use what we call “non-wallet questions”, that is, questions that cannot be answered by someone if they steal your wallet. Wallet questions use information you would find on cards and other items in your wallet, such as an address, date of birth, or your middle name. Some examples of non-wallet questions you’ve probably seen when setting up security questions for banking or another online service are your favourite colour, the name of the first street you lived in, or the name of your pet.

The issue nowadays is it’s less likely for someone to steal your wallet, and more likely that they can harvest the information to respond to these questions from social media accounts and other OSINT results. It’s hard to not overshare on social media platforms as sharing is what they are all about, but be careful what you share, and when setting up security questions, don’t select questions that have an answer you may expose online, such as your pet’s name.

Report Phone Issues Immediately

A byproduct of SIM swap fraud or porting is you will lose access to your phone number. Your number cannot exist on two different SIMs so once swapped to a new SIM, you will lose access. If you lose access to your number or your phone exhibits other unusual behaviour, contact your telecommunications provider immediately. I would suggest contacting your bank immediately as well and informing them you have lost control of your phone number and to check whether your personal information has been changed recently or if there are any unexpected transactions. They can then also be on the lookout for a threat actor taking future action on your accounts.

Use Multi-Factor Authentication

Most importantly, where possible, use multi-factor authentication (MFA) on all online accounts. Most services support MFA such as Google Authenticator or Microsoft Authenticator. Many password vault applications also support MFA one-time passcodes (OTP), such as 1Password. By using an app for OTP rather than SMS, you are removing the risk posed by SIM-swap fraud as SMS is no longer used for OTP’s.

More information from the ACMA can be found here