By CPA Abdallah Mambo Dallu
There is public outrage over the dramatic rise of Sim swap fraud as more victims of the racket that has seen fraudsters stealing from bank accounts and digital wallets are publicly condemning the vice. The financial scam sweeping the country focuses on shifting control of the victim’s phone account from their Sim card to one controlled by the hacker. As the Covid-19 pandemic raged in 2020, nearly 140 million cyber threat events were reported, a jump of about 40 per cent over the previous year, finds the latest data from the Communication Authority. Many Kenyans fall victim to cybercrime because of either sharing too much information online or carelessness. Technology
What is a subscriber identity module (SIM) swap?
SIM swap fraud is an account takeover scam that targets a weakness in some forms of two-factor authentication (2FA) in which a call or text message sent to a mobile telephone is the second factor or step. Also known as port-out scam, digital subscriber identity module (SIM) swap, SIM splitting, and sim jacking, the SIM swap scam exploits the ability of SIM cards to be ported seamlessly by mobile phone service providers from device to device bearing different telephone numbers. Typically, carriers use this feature when customers buy new phones, switch service, lose their device, or experience theft.
At its most basic level, during a SIM swap, a SIM hijacker convinces your mobile carrier to port your phone number over to their SIM card. By transferring those incoming messages, fraudsters can easily access your most sensitive accounts by completing text-based two-factor authentication checks. If you’ve failed to protect accounts with Two-Factor Authentication, they can use the phone number to generate existing and new passwords. They can also take over social media accounts, retail accounts, and any other accounts linked to the phone number—which is probably any online account.
How Does a Sim Swap Work?
Subscriber identity module (SIM) cards store user data in Global System for Mobile (GSM) phones. GSM phones without SIM cards are not authorized to use any mobile network. This is why your phone is essentially dead when you remove your SIM card unless it is on WiFi. SIM swap victims do not receive carrier-facilitated text messages or phone calls once they are disconnected from their original carrier. All communications are routed to the attacker instead. And while WiFi will work, carrier-based internet and telephony will cease.
SIM card hacking boils down to two main methods:
- SIM Swapping
An attacker using social engineering techniques to trick your phone service provider into switching your number over to a new SIM card. This would involve trying to convince an employee of the phone service provider to swap the number from one SIM card to another by posing as the account holder. If the hacker can convince the employee to swap the numbers, they will be unwittingly giving up access to the account holder’s phone number.
Once the SIM has been swapped, the victim’s phone will need to be restarted to complete the transfer to the new SIM card. Typically, hackers will pose as the phone service provider and send a fake SMS message to the victim asking them to restart their phone to resolve a problem.
- SIM Cloning
An attacker gaining physical access to your SIM card and then cloning it onto a new SIM card controlled by the hacker. This is a method that requires the hacker to physically copy the SIM card by placing it in a card reader attached to a computer. Duplication software on the computer will then allow the number to be cloned onto a blank SIM card.
This can also be carried out wirelessly if the hacking method is sophisticated enough to break the in-built security encryption that protects the SIM card. Once the hacker has a clone of the SIM card, they can then use this in a device they control to access the victim’s texts, phone calls and location data.
Fraudsters have known to use social media handles to mine innocent peoples’ data promising free gifts. In the recent past there has been rounds of fake offers and promotions from the countries retail chains and telecoms through social media handles like twitter, Facebook, Instagram and WhatsApp.
Fraud Attacks Following SIM Swap Scams
A SIM swap is only the first step for fraudsters. Once they are in control of your phone number, however, there is no limit to the number of damage they can do. This can take the form of:
- Account takeover: The most common form of attack, and indeed the reason why many fraudsters use SIM swaps in the first place. A fraudster who controls a phone number can receive 2FA or OTP SMS that allows them to log into your accounts. This includes mobile banking, social media, or online store accounts.
- Identity fraud: Stealing someone’s phone number isn’t considered ID fraud per se. But fraudsters often mine accounts for personal documents to steal the victim’s identity.
- Phishing: Once they are in control of a phone number, fraudsters can get in touch with your family, friends and colleagues to gather personal information.
- Transaction fraud: If your account acts as an e-wallet (for instance, for online store credit), fraudsters will use it to buy themselves gifts. Even worse, they could find a linked credit card number and use it on their shopping sprees.
- CEO fraud: There has been a rise in attacks where executives and managers are impersonated by fraudsters.
How to tell if you’ve had your SIM card hacked
There are a number of (usually very easy) ways to detect if your SIM card has been cloned or hacked:
- You’re no longer receiving calls and texts. If someone has cloned your SIM card or has convinced your network operator to switch your number to a new SIM card that they have in their possession, you won’t receive any more texts or phone calls. A phone number can only be associated to one SIM card at a time. You can easily check this by asking a friend to call or text you and if it doesn’t come through then you know you might have a problem.
- Unrecognized numbers on your account. If you’re checking the outgoing calls on your bill and see numbers that you don’t recognize, it might be time to contact your network operator and try to get more information.
- You receive a message requesting you to restart your device. One of the very first signs of SIM hacking that you’ll notice is a seemingly random text purporting to be from your network provider asking you to restart your device. This is usually a message sent from the hacker. Restarting the phone gives them a chance, whilst the phone is off, to steal your SIM details.
- Your device appears in a different location on location-trackers. If you’re using something like Find My iPhone for iOS or Google’s Find my Device for Android, then this can be a good way to check for SIM problems. If your phone is appearing in a different location, this is a sure-fire sign that your SIM card has been compromised and is being used by a hacker.
- You’re locked out of your accounts. Lots of accounts utilize a security feature called two-factor authentication. This is a feature that prevents a hacker from accessing your account even if they know your username and password. This works by confirming your login with a unique code sent via a text message. The problem is that if a hacker has managed to clone or hack your SIM card, they can now receive that verification code and use it to gain access to accounts that they wouldn’t have had before.
How to prevent Sim Swap?
There are several ways you can protect yourself and avoid SIM swapping:
1) Limit the amount of personal information you share online.
Fraudsters often monitor our digital footprint and will pick the smallest details to convince your mobile service provider that they are you. Avoid posting anywhere public your full name, address, phone number and birth date. Also, do not over share details of your personal life on social media.
2) Use strong passwords and security questions.
Always use a password that is very difficult for anyone, including your closest acquaintances, to guess. It is recommended that the password should have 12 characters or more to protect your cell phone’s online account as well as that of other mobile apps such as mobile banking apps. If possible, use identity questions that are unique to yourself.
3) For mobile banking apps, use both face and touch identification authentication whenever possible.
Before installing a sensitive app such as a mobile banking one, ask the providers if they have a two-factor biometric system for identification and use both of the features when accessing the application. For instance, use both the fingerprint and facial identification features when using a mobile banking app.
4) Beware of phishing emails, texts and calls.
Look out for impostors posing as staff from your mobile service provider or reputable financial institutions seeking private information from you. Hang up immediately and report the number to the relevant authorities.
5) Modify online behavior
Beware of social engineering attacks such as phishing emails that scammers may use to access your personal data to impersonate you. Sanitize your online presence to reduce risk.
6) Use PIN codes
Add a layer of protection through your carrier by setting a separate PIN or passcode for your communications. AT&T and T-Mobile allow it, and Verizon requires a PIN that you can modify. Never use an obvious PIN such as an anniversary, birthday, or address, and ideally, store PINs in a password manager.
7) Build IDs without your phone number
Avoid building identity and security authentication solely around your phone number, including text messaging (SMS). This is vulnerable to SIM swap fraud and other attacks, and text messaging is not encrypted.
If your mobile carrier offers it, elect to receive additional notifications when a SIM card is reissued on your account. When you choose banks, retailers, and other organizations to use online, look for those that use behavioral analysis technology to discover compromised devices and call-backs to deter identity thieves.
9) Better two-factor authentication
Some take swapping SIM cards as a case in point against two-factor authentication (2FA), but that’s far from accurate. In fact, SIM swap fraud is an argument in favor of using strong authentication, using a security key for physical authentication.
Physical authentication techniques are superior to standard 2FA, because they require something you know, such as a password, plus something you have: a physical token. A hacker has to physically take your token to gain access.
10) Go phoneless
For especially sensitive accounts, it can be worthwhile to attempt to remove your phone number entirely where possible. This can be a challenge at scale, but for high-value targets may be necessary.
SIM swapping scams have targeted some of the most famous people on Earth. Jack Dorsey, Jeff Bezos, and Kim Kardashian have all been victims of SIM jacking. In Kenya, Kasarani Officer Commanding Police Division (OCPD) Peter Mwanzo felt a victim to a sim card swapping syndicate that left his accounts dry on the night of January 4, 2022.
And while targeting your phone may not be as glamorous, fraudsters still do their best to take over accounts in any way they can. The good news is that regulations are forcing telco operators to be more stringent when it comes to verifying users. On 24th February, 2022, the Communications Authority of Kenya (CA), in accordance with the Kenya Information and Communications (Registration of Sim-Cards) Regulations 2015, directed the Mobile Network Operators to ensure that registration details of all subscribers are fully updated by 15th April, 2022. This deadline was later extended by six months to 15th October 2022. This move is aimed at tracking down the fraudsters.
CPA Abdallah Mambo Dallu
Chief Internal Auditor & Compliance Officer;
TEL; 0726 322 799
E-Mail: [email protected]