With mobile phone payments now hugely popular, cybercriminals have been targeting the market in a wave of attacks. With SIM swap fraud nowadays conducted on a large scale, Fabio Assolini, Senior Security Researcher, Global Research and Analysis Team, Kaspersky Lab, tells Intelligent CIO how cybercriminals complete the fraud and the best ways to avoid being the next victim.
Mobile payment is huge worldwide. Mobile phone-based money transfers allow users to access financing and micro-financing services, to deposit, withdraw and pay for goods and services easily with a mobile device. In some cases, almost half the value of a country’s GDP goes through mobile phones.
But nowadays these mobile payments are suffering a wave of attacks and people are losing their money – all powered by SIM swap fraud. Such attacks are nowadays conducted on a large scale.
SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is a SMS or a call placed to a mobile telephone. The fraud centres around exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM.
This feature is normally used when a customer has lost or had their phone stolen. Attacks like these are now widespread, with cybercriminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS but also to cause financial damage to victims.
If someone steals your phone number, you’ll face a lot of problems, especially because most of our modern two-factor authentication systems are based on SMSs that can be intercepted using this technique.
Criminals can hijack your accounts one by one by having a password reset sent to your phone. They can trick automated systems – like your bank – into thinking they’re you when they call customer service. And worse, they can use your hijacked number to break into your work email and documents. And these attacks are possible because our financial life revolves around mobile apps that we use to send money, pay bills, etc.
The scam begins with a fraudster gathering details about the victim by using phishing emails, by buying information from organised crime groups, via social engineering or by obtaining the information following data leaks.
Once the fraudster has obtained the necessary details they will then contact the victim’s mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim’s phone number to the fraudster’s SIM, for example, by impersonating the victim and claiming they have lost their phone. They then ask for the number to be activated on a new SIM card.
After that the victim’s phone loses its connection to the network and the fraudster receives all the SMSs and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls made to the victim; all the services that rely on an SMS or telephone call authentication can then be used.
We have found that some of the processes used by mobile operators are weak and leave customers open to SIM swap attacks. For example, in some markets in order to validate your identity the operator may ask for some basic information such as full name, date of birth, the amount of the last top-up voucher, the last five numbers called, etc.
Fraudsters can find some of this information on social media or by using apps such as TrueCaller to get the caller name based on the number. With a bit of social engineering they also try to guess the voucher amount based on what’s more popular in the local market. And what about the last five calls? One technique used by the fraudsters is to plant a few ‘missed calls’ or to send an SMS to the victim’s number as bait so that they call back.
Sometimes the target is the carrier and not the customer. This happens when a carrier’s employees working in branches in small cities are sometimes unable to identify a fraudulent or adulterated document, especially branches located in kiosks or shopping malls, allowing a fraudster to activate a new SIM card.
Another big problem is insiders, with some cybercriminals recruiting corrupt employees, paying them $10 to $15 per SIM card activated. The worst attacks occur when a fraudster sends a phishing email that aims to steal a carrier’s system credentials.
Ironically, most of these systems don’t use two-factor authentication. Sometimes the goal of such emails is to install malware on the carrier’s network – all a fraudster needs is just one credential, even from a small branch from a small city, to give them access to the carrier’s system.
The interest in such attacks is so great among cybercriminals that some of them decided to sell it as a service to others. Normally, a criminal can conduct an attack in two or three hours without much effort, because they already have access to the carrier’s system or an insider.
The fraudsters fire in all directions; sometimes their attacks are targeted, sometimes they’re not. All a fraudster needs is your number, and it’s very easy to find it by searching through leaked databases, buying that database from data brokers (some of them are legal), or using apps like TrueCaller and other similar apps that offer caller ID and spam blocking, but which also have some privacy issues and a name-based search for subscribers. Sometimes your number can be found by simply doing a Google search.
The first sign that something is not quite right is when you lose your smartphone signal somewhere that normally has a strong signal.
WhatsApp is the most popular instant messenger in a number of countries where the app is used by fraudsters to steal money in an attack known as ‘WhatsApp cloning’. After a SIM swap, the first thing the criminal does is to load WhatsApp and all the victim’s chats and contacts.
Then they begin messaging the contacts in the victim’s name, citing an emergency and asking for money. In some cases, they feign a kidnapping situation, asking for an urgent payment – and some of the contacts will send money.
The fraudsters performed a SIM swap, activating the victim’s number on another SIM card. Then, on a smartphone with the pag! app installed, the fraudsters used the app’s password recovery function and a code was sent via SMS, allowing the bad guys to gain total control of the user’s account in the app.
Once this access is obtained the fraudsters performed several illegal payments with the credit card issued in the app in the name of the victim. Some victims reported losses of US$3,300 in fraudulent transactions.
When possible, we recommend users avoid two-factor authentication via SMS, opting instead for other ways, such as generating an OTP in a mobile app (like Google Authenticator) or using a physical token. Unfortunately, some online services don’t offer an alternative; in that case, the user needs to be aware of the risks.
Some operators have implemented additional security mechanisms that require the user to authenticate through voice biometrics using a passphrase such as ‘my voice is my password’ – the technology works reasonably well, even detecting if the voice is a recording, or if the user has flu. However, the major stumbling block that we observed is the very low enrolment base. Besides, it’s considered an expensive solution, especially for emerging markets, and requires some additional effort to integrate with backend systems.
When a SIM change is requested, operators can implement an automated message that’s sent to the number alerting the owner that there’s been a SIM change request and if it’s not authorised, the subscriber must contact the fraud hotline. This will not prevent the hijacking itself, it will instead alert the subscriber so that they can respond faster in the case of malicious activity. The main drawback is that the subscriber may be outside the coverage area.
Some carriers have implemented an additional layer of confirmation for any case of SIM activation, offering the option of configuring a password in their systems. This password will be required for any changes associated with your number, such as big changes in your monthly bill or even when you need a new SIM card. Talk to your carrier to check if they already offer this additional security for your number.
As we mentioned above, some processes contain weaknesses, especially in emerging markets. It’s important to dissect all the stages of the process and understand what the underlying weaknesses are. In some countries, there’s a thriving black market that makes it possible to obtain fake documents. These documents can then be presented to operators as proof of identity for SIM swaps.
To avoid WhatsApp hijacking, it’s of paramount importance to activate 2FA using a six-digit PIN on your device. In the event of hijacking, you’ll have another layer of security that is not so easy to bypass.
TrueCaller is a crowdsourced phone book. It allows people to be identified through their mobile number. However, as we mentioned before, fraudsters use this tool to find out more information about you. You can, and should, request that your number is unlisted from this global phone book.
Despite the fact that attacks on 2FA with the use of tools such as Evilginx are becoming more sophisticated, software tokens still provide a reasonable level of security by today’s standards. Whilst there is no silver bullet solution, we believe that declaring the death of SMS-based 2FA is the way to go. This is especially true when it comes to online banking, social media and email services.