SIM swapping is an increasingly popular account takeover fraud that has in the past year, claimed high-profile victims including Twitter CEO Jack Dorsey and may have even been the reason behind Barack Obama and Elon Musk tweeting bitcoin scams as recently as mid-July. But it’s more than just public image and reputation that is on the line for victims of this fraud.
In January 2020, a Spanish hacker ring stole over €3 million in a series of SIM swapping attacks from unsuspecting cardholders. They struck over 100 times, stealing up to €137,000 at a time from individual bank accounts.
In Greece, simjackers have stolen €700,000 from Greek banking customers this year alone and the story repeats itself from country to country.
In this blog you’ll learn what SIM swapping is, how it works and what this trending scam tactic means for the financial industry.
SIM swapping or simjacking targets a weakness in two-factor authentication in which the second factor is a text message (SMS) or call made to a mobile telephone.
Cybercriminals exploit mobile service providers’ ability to port phone numbers – required as the second step of two-factor authentication – to fraudsters’ phones.
When a mobile phone is lost, stolen or users switch services over to a new phone, the mobile service provider can seamlessly port the user’s number to a different device.
To turn this simple action into a scam, all fraudsters need to do is call the mobile service provider of a legitimate user, impersonate them – using data acquired through malware, phishing or from organized criminals – and convince the provider to switch the phone number over to the fraudster’s SIM.
This allows the fraudster to intercept any one-time passwords sent to the victim via SMS and circumvent any security features of accounts that rely on text messages or telephone calls.
What’s more, SIM swapping is significantly faster than traditional fraud tactics.
Fraudsters need only send a text message to a carrier to obtain a Porting Authorization Code, so if they only have access to a device for a few seconds it is significantly faster to exploit the weakness in two-factor authentication than to infect it with malware or go through a phishing campaign.
This is even easier to achieve in countries that don’t have stringent laws such as the EU’s ‘Strong Customer Authorization’ or have lower banking fraud awareness – where this can be done without going through any identification.
Signs that you are a victim of SIM swapping fraud may include:
In an hour or two most victims pick up on one of these signs, so fraudsters have to be quick to transfer the money to mule accounts and hide their traces.
When simjackers targeted Greek banking customers this year, one victim caught up in the attack recalled how simply it was done: one minute his phone lost signal, next, €10,150 was moved out of his bank account.
The bank is a victim’s first port of call when fraudsters strike and the bank is who they blame.
“I am annoyed at the bank. I have taken a loan from them and I have always been consistent with my obligations,” the defrauded customer explained to the National Herald. He is not alone in looking at the bank for a solution.
In July 2020, the Dubai Court of Appeal found a local bank responsible for the SIM swap fraud that saw Dh4.7 million (over €1 million) stolen from Middle Eastern bank accounts in 2017 and ordered the bank to reimburse the victims.
With smartphone usage at all-time high and more people entering the banking ecosystem – as Covid-19 accelerates the shift to digital payments across the world – the onus is on the banks to ensure sophisticated fraudsters aren’t just one text message away from their customers’ life savings.
On the surface of it, banks are victims to SIM swapping scams just the same as their customers. Porting cardholders’ phone numbers to new devices is ultimately the decision of the mobile service provider, which – presented with accurate, stolen data – has no reason to suspect cybercriminals are behind the move.
But as the Dubai court ruling shows, responsibility to reimburse victims lies with the bank.
Does this mean banks will necessarily be on the back foot when it comes to simjacking? Quite the contrary. Financial institutions cannot afford to adopt a reactive stance – it is both expensive and damaging to customer relationships.
With the buguroo online fraud detection solution, bugFraud, banks can be one step ahead of evolving types of cybercrime, including SIM swapping.
Most banks verify the user’s identity at login and when a transaction is performed (two-factor authentication), leaving a gap in the process for mid-session account takeover to occur.
In comparison, bugFraud provides continuous authentication to monitor and verify a banking customer’s identity in real time, throughout the entire online session. Its deep learning-driven behavioral biometrics analysis capability builds a cyber DNA for each user based on their unique, granular patterns of behavior to determine what constitutes ‘typical behavior’ to the individual user.
Then, through continuously monitoring their activity throughout the online session, bugFraud flags any suspicious activity in real-time, prompting the bank to take action.
In the case of SIM swapping, while a SIM may check out as belonging to the authorized user, bugFraud is able to detect a change in the user’s patterns of usage and indicate fraudster activity.
It is also capable of establishing a correlation between a device and the user’s actual International Mobile Subscriber Identity (IMSI), allowing banks to reveal such anomalies as one device ID linked to two or more SIM cards or one SIM shared between two or more device IDs.
In both of these scenarios, bugFraud helps the bank stop fraudsters before money leaves a legitimate user’s account.
bugFraud not only protects banking customers from SIM swap scams, it also enables the bank to thwart and deter future attempts from the same cybercriminals.
Every time a SIM swap attempt is made, bugFraud’s Fraudster Hunter functionality collects unique behavioral biometric DNA from cybercriminals, allowing financial institutions to immediately identify malicious entities inside their system and prevent account takeover.
The more cybercriminals try, the faster the bank gets at identifying them, leading to complete deterrence – all while legitimate users enjoy a frictionless and safe banking customer experience.