The COVID-19 scourge is changing social behaviors, wrecking the economy, and killing people across the nation. As emergency workers are rightfully focused on the virus’ impact and seeking life-saving solutions, a lesser-known cyber issue is fast evolving across the world. Awareness of the exploit may save them from embarrassment and financial loss.
Cybercriminals have found another way to personal data outside of the traditional threat vector of the computer. Your mobile phone number may be their key to valuable financial accounts and disruption to your digital life. As people are preoccupied with saving lives, they become a perfect victim. Worse, the deceased can also become game for criminals who are aware of life termination.
The exploit is “SIM Swapping,” or port-out or SIM splitting fraud. A SIM is a subscriber identity module (SIM). Most cell phones have one. This component allows criminals to wedge themselves into a Federal Communications Commission (FCC) endorsed process for moving cell service between cellphone carriers.
What Is SIM Swapping?
SIM Swapping is a form of unauthorized access to your data through your cell phones. Most people have forgotten their phone is a minicomputer. However, cybercriminals have not. The mobile devices are powerful, and open access to many of the same accounts you can reach through the computer.
When someone else has access to the phone, it is no different than them having access to the associated computer. Text messages are often used by banks, businesses, and payment services to verify your identity when you request updates to your account. And, typically all the emails on your very secure computer are accessible from your handheld device.
How Is It Carried Out?
To do the sim swapping exploit, a criminal legally ports your phone to another carrier. Once your service is switched, the criminal enables their device as your phone identity. Of course, you as the rightful owner are unaware of the transaction.
This is easy for criminals because “porting” a number is done by the cell carrier when a cell number owner wants to change service providers and keep the same number. This legal movement between providers frequently occurs across service providers like Verizon, Centurylink, Sprint, and AT&T. It is a simple process that spurs wanted competition between them.
The consequences begin to unfold after the SIM swap, and when the criminal has access to your text coming into your phone identity. The data manipulation and theft are carried out just like on a computer. Ultimately, the cellphone is used as a vehicle for access to your most sensitive information.
Most people have a false sense of security when it comes to their cellphone because the device is always within arm’s reach. Cellphone porting provides even a greater sense of “control” because the scammer needs to have enough data to convince the service provider that the person requesting the change is the account owner. As with most cyber vulnerabilities, most victims believe that it can’t happen to them.
Once someone has possession of your phone identity, they can reset passwords to make the accounts their own. This access includes social media accounts, bank accounts, retirement accounts, cryptocurrency accounts, and others associated with your employment. This is not to mention opportunities for the thief to ransom private social media artifacts and photos. It doesn’t stop there. The criminal who now owns your phone identity can open new accounts in your name.
The corporate data breaches that we now pay little attention to are information-gathering grounds. This is a great source of the data used to convince the cellphone carrier they are the rightful account owner. SIM swapping is simply a new form of identity theft that leads to extreme consequences.
The Federal Bureau of Investigations says the thefts have netted over $50,000,000 worldwide over the past three years. The truth is, no one knows the exact figure because the exploit is also used to steal digital currency like Bitcoin. This theft is probably rarely reported through official channels.
In one profile, the victim provided insight that should make every cellphone user want more information on mitigating this crime. The man advised that he lost over $1,000,000 in less than 20 minutes. He was most amazed at how easily they pulled off the heist and the speed in which it was performed. Another victim talked about the gripping fear of being locked out of their own accounts. Both people wanted everyone to understand how mobile carriers made them feel they were alone.
The FCC says that using multi-factor authentication (MFA) is a proven solution to protecting your accounts should SIM swapping occur. The theory is that by making the criminal take an extra step – because MFA requires two or more credentials to log in – you limit personal loss.
Besides your password, you’ll need a second credential to verify your identity. That could be something you have — like a passcode you get via text message, a security key, or an authentication app. Or something you are — like a scan of your fingerprint, your retina, or your face. – FCC
The issue with this solution is that most people use the phone itself as a second form of authentication. When the authorization code is sent, it goes to the same device the criminal has possession of, for both text and email.
As this threat vector grows both government and the private sector should also heed the warning signs that proper management of mobile devices is critical. Individuals using the personal devices to do official or company business pose a risk to the enterprise. We are all just one authentication away from someone digitally becoming us. The question is should the government or mobile phone carrier assume more responsibility or is this a personal protection issue.