Fraudsters are Phoning it in with SIM Swap Fraud
Table of Contents
- How does SIM swap fraud work?
- What’s the best way to protect yourself from SIM swap fraud?
- Can SIM swap fraud lead to payment disputes?
- What merchants should know about SIM swapping
- What is simjacking?
Phone numbers have become a common way to verify your identity online. We’re in an era where many of us view our smartphones as practically extensions of ourselves, so it stands to reason that sending a text message to a personal phone number is a good way to perform two-factor authentication or validate a login from an unfamiliar device.
This method is secure and effective—unless a fraudster manages to hijack your phone number with a SIM card swap. It’s not the easiest scam to pull off, but when it succeeds, what can victims do to mitigate the damage and protect their online accounts?
Many of the apps and sites that store our most valuable personal data—like our social media, email, and online banking—use our phone numbers to make sure we are who we say we are when we’re trying to access or make changes to our accounts. After all, most of us always have our phones nearby, and replace them immediately when they’re lost or broken.
Subscriber identity modules, more commonly known as SIM cards, are plastic-mounted chips that store phone numbers and other information that identifies phones to their carriers. Changing phones can be as simple as moving a SIM card from one device to another—and carriers can change SIM card data remotely as well. After all, when your phone goes missing your number doesn’t disappear along with it; the carrier just transfers it to a new device.
How does SIM swap fraud work?
The idea of fraudsters hacking into the SIM card that’s nestled away inside your phone and stealing your phone number may sound impossibly high tech, but in truth, the way they go about it is almost always through old-fashioned social engineering. No special programs or hardware are required—just the ability to persuade a customer service rep that they’re a legitimate customer in need of a SIM transfer. Of course, it helps a lot if they have access to their victim’s personal information, especially the answers to any security questions that are intended to protect their accounts from unauthorized access.
In a typical scenario, a fraudster will use phishing emails to get a victim to divulge some of the information that might help them gain access to their accounts. For instance, they might send them an email with a link to a website that asks them to enter login information or answers to security questions. Often these websites are designed to mimic the website of a company the target already has a relationship with, such as a bank or cell phone carrier. In other cases, fraudsters might trawl the victim’s social media for the names of relatives, birthplaces, schools, and other facts that frequently show up as security questions.
Once they have what they need to gain access, they contact the phone carrier, pretending to be the victim, and ask for a SIM card transfer to a new device. If they succeed, the victim’s phone number and any other data stored on the SIM card is instantly transferred to a new card in the fraudster’s possession. Now, if anyone calls or texts the victim’s phone number, the fraudster’s phone will receive it—which means they can easily get around authentication methods that rely on phone contact.
With two-factor authentication using text messages become more and more common across the internet, attempts to bypass this check are also becoming more common, with SIM swap fraud being one of the more popular methods.
Two-factor authentication still provides a great deal of protection against fraud, and it's worth implementing for any eCommerce business that hasn't already done so. However, no security feature is completely bulletproof, and two-factor authentication is no exception.
Once a fraudsters gains access to the victim's text messages, they will undoubtedly try to empty out the victim’s bank accounts, scour their email and social media for private information, and help themselves to anything else of value that the victim’s phone number can unlock.
What’s the best way to protect yourself from SIM swap fraud?
One of the most important defenses against SIM swapping is the ability to recognize it when it happens, which isn’t always easy. The earliest clue is often that your phone suddenly stops working, unable to send or receive any data. A carrier message might pop up alerting you to the fact that the SIM has been transferred, but if you don’t get this message, you might just think the problem is with the carrier or the phone’s hardware.
An immediate call to your carrier’s customer service line can help you figure out what the problem is, and it's very important to act quickly if you think you’ve become the victim of SIM swap fraud—it doesn’t take long for fraudsters to wreak significant havoc with a stolen phone number.
As far as prevention goes, many carriers allow you to secure your account with a PIN or other safeguards that make it harder for fraudsters to sweet-talk their way into accessing your account. It’s also wise to choose security questions or answers that can’t be found out by researching you online—how hard do you really think it is for somebody to find out your mother’s maiden name, for example?
There are also measures merchants can take to prevent the account of a customer who's fallen victim to SIM swap fraud from being accessed. The most effective is to conduct two-factor authentication via some other means instead of a text message.
Google Authenticator can be used to generate the same sort of codes you'd send via text, without the vulnerability to SIM swapping. However, Google Authenticator is not without its downsides, the main one being that it's tied to the phone itself. While the app provides backup codes upon setup, not all customers are good at keeping track of these, which can create problems for customers whose phones are lost or stolen. Even customers who simply upgrade to a new phone without realizing they need to follow a procedure to transfer their Authenticator data might temporarily lose access to their accounts.
Another means of two-factor authentication is biometric information, such as face recognition or a fingerprint. Both Android and iOS now offer the ability to integrate fingerprint login into eligible apps, and several third party services offer to authenticate customers by asking them to take a quick selfie. As with any security method, each of these comes with its own list of downsides and vulnerabilities, and can present an irritating obstacle for some customers. Security is always a balancing act, and each merchant must make their own decision on what authentication to require and what methods to offer to their customers.
Can SIM swap fraud lead to payment disputes?
For fraudsters, SIM swap fraud is a more lucrative venture than credit card fraud. With a hijacked phone number, they can drain funds directly out of a victim’s bank account, with no need to make fraudulent purchases that they then have to figure out how to liquidate for cash.
However, it is certainly possible for fraudsters to use SIM swap fraud to facilitate account takeover and other schemes that can victimize merchants, many of which will later result in transaction disputes. These will usually come in the form of true fraud chargebacks that cannot be contested, so merchants should employ best practices for securing logins and storing payment credentials in order to minimize the fallout from account takeover attacks.
What merchants should know about SIM swapping
SIM swapping doesn’t always result in payment fraud, but merchants should always be aware of the ways in which their customers’ identities and online accounts may be compromised. We all have a role to play in keeping eCommerce safe and secure for consumers, and being vigilant about authentication protocols and doing our best to use the safest methods for protecting user accounts can go a long way toward making it harder for fraudsters to profit from phishing attacks, social engineering, and the various forms of cyber crime that these scams engender.
Fairly or not, merchants always take some of the blame when breaches occur, so making the extra effort can help you retain customers and protect your revenue in the long run.
What is simjacking?