Wanna trade your crusty old SIM card for my brand new shiny one?

Not many of us would take up the offer to trade SIM cards with a stranger but could a skilled social engineer convince your mobile network provider to swap SIM cards on your behalf? Sadly, yes.

On 25 August, 2023, financial company Kroll confirmed a threat actor convinced T-Mobile to transfer a Kroll employee’s SIM to a new phone number the attackers controlled, enabling a data breach.?

This isn’t an isolated incident. Also recently, 18th August, Anthony Francis Faulk of Pennsylvania (U.S.) was sentenced to three years in prison for SIM swapping and other malicious activity that started by tricking mobile service reps into transferring phone numbers from victims' SIM cards to those of his conspirators. They then reset victims’ online passwords, took control of their accounts, accessed cryptocurrency funds, and transferred them to their own accounts. Faulk and his crew were caught, but many threat actors get away with SIM swapping scams.?

Equal in the eyes of the SIM Swapper

For some teams, the concept of SIM swapping is old news. "It's happening for a long time" or "This is not new nor novel". What we established once again when building our scenarios is that SIM swaps remains a great equaliser; impacting celebrities, tech CEOs, musicians, athletes, public figures, crypto-millionaires, politicians, business tycoons, and regular humans-alike. To understand the role SIM swapping plays in any scenario, we should first recap on SIM cards itself.?????

SIM, or Subscriber Identity Module, cards contain vital user data, are used to connect mobile devices to a mobile network, and carry an assigned phone number. SIM cards – and their phone numbers – are often tied to bank accounts, cryptocurrency wallets, email, phone contacts, and social media profiles. Crucially, SIM cards can play an essential role in authenticating a user’s identity in an SMS-based two-factor authentication (2FA) system by receiving verification codes in text messages sent to that SIM card’s phone number.?

This process is exploited during a SIM swapping attack. Attackers often use personal details from open-source intelligence collection and data breaches to trick mobile operators into transferring a victim's phone number to their controlled SIM. This lets them intercept calls and 2FA messages, accessing the victim's accounts.?

We have 2FA, why should we care about SIM swapping??

Yes, multi-factor authentication (MFA), biometrics, authentication apps, and hard tokens that issue timed one-time passwords (TOTP) do exist and offer a solution to 2FA SIM swapping. However, these maturer authentication security controls aren’t as widespread as we hope/think/wish. For instance, 40% of the average company’s employee account have either MFA or weak MFA according to Oort. That statistic is for enterprise entities, personal accounts are in a worse state.?

Members of the public have just caught up with 2FA; expecting everyone to be fully versed in more secure, non-SIM card authentication controls is unrealistic. There will be a lag whilst policies and education filter through from the cybersecurity community to other areas of society.?

In the crosshairs of governments?

The impact of SIM swapping has been significant enough to date that it has drawn the attention of multiple governments, law enforcement, and cyber defence agencies. For instance in July 2023, CISA’s Cyber Safety Review Board published a report pointing regulators at the telecommunications and financial sectors, stating they should all strengthen their oversight and enforcement activities focused on SIM swapping transactions.?

The result? SIM-based 2FA could get regulated out of existence. However, this may take some time. What can you do in the meantime to mitigate the risk of SIM swapping impacting you or your organisation? Preparation is key.?

How to prepare? Getting in mind of the attacker?

Since SIM swapping scams are primarily committed using social engineering the ultimate targets are human, so to prepare for a potential SIM swapping attack, it's essential to understand the mindset of the attacker and understand the steps they would likely take.

In the case of SIM swapping, our four main takeaways include:

1. Review & adjust your methods of multi-factor authentication. Identify where these methods are being used, identifying potential weak points. Based on your review, you can even decide to stop phone based authentication all together.
2. Make sure it's clear to your employees how they can reach your helpdesk in case they can't call anymore. Not all your employees still have private phones or might not even have access to a laptop. It might surprise you how much in-explicit assumptions we make in this area.
3. Train your teams, which could be as broad as helpdesk or your entire employee population, to recognize lost network connection (for a longer time) as part of this particular scam. Knowing and rapidly notifying might already prevent suspicious subsequent events.
4. Strengthening security of mobile device accounts at your providers. Making it less likely that a social engineering attack will succeed. Setting up alerts across multiple devices when changes are made to mobile accounts.?

Among different formats of CTI products at Venation, we obviously believe that threat scenarios give you the most comprehensive overview of the whole SIM swapping process, from choosing a target, to “cashing out”. This gives insight into areas you need to review, implement controls or institute changes instead of doing this after learning the lessons the hard way. Our SIM swapping scenario is now available in our platform.

Want to learn more? Get in touch via www.venation.digital.

Interested in similar content?

1. https://oort.io/hubfs/Reports/State-of-Identity-Security-2023.pdf??
2. https://www.justice.gov/usao-ndca/pr/pennsylvania-resident-sentenced-three-years-prison-role-conspiracy-defraud-and-extort?utm_source=substack&utm_medium=email
3. https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf
4. https://www.kroll.com/en/about-us/news/security-incident?
5. https://thehackernews.com/2023/08/kroll-suffers-data-breach-employee.html?_m=3n%2e009a%2e3132%2emq0ao05u8n%2e249s
6. https://www.enisa.europa.eu/news/enisa-news/beware-of-the-sim-swapping-fraud

#simswapping #cybersecurity #threatscenarios #threatmanagement #riskmanagement #venation #threatlandscaping