By Neil Downing, VP of Identity Products at TMT Analysis
There was an interesting announcement recently from none other than the FBI who said that US citizens lost more than $68 million to SIM Swap attacks 2021.
Obviously as a company in the front-line of trying to fight this kind of attack, many things spring to mind. Firstly, and perhaps most obviously, it’s great to see a law enforcement agency tracking this crime and able to put a number on it, not something we’re seeing from many countries at the moment! This shocking number was actually across a relatively small number (1,611) of attacks which gives an average value of just over $42,000 per attack. WOW! This also suggests that SIM Swap is perhaps one of the more targeted crimes with fraudsters singling out particular victims whom they know will be worth the effort.
Secondly, the FBI give three attack vectors within the arena of SIM Swap. The first is the one we talk about the most which is some form of social engineering fraud where the fraudster will impersonate the victim to their mobile operator and using data they have obtained fool the operator into porting their number to a new device that is in the control of the fraudster. However, fraudsters being in collusion with an employee of the operator or even hacking the operator’s signalling network to re-assign the number themselves are also identified as taking place.
Thirdly, there has been some other recent detailed analysis around how the ultimate aim of the fraud is realised. Typically during the same phishing attack where the fraudster has gathered enough to pass the checks imposed by the mobile operator, they have also gathered banking details so once the swap is made they can quickly invoke a password reset and obtain access to their bank accounts long before the victim is aware it’s happening.
Although recent information we’ve seen has shown some ‘levelling off’ of SIM Swap attacks in Europe (some data even suggests it’s in decline as fraudsters switch tactics and simply go for a social engineering approach to have the victim give their information over the phone instead), there are a couple of obvious questions that should be asked from this.
- Given that many of the major operators offer a SIM Swap checking capability, if you are a bank of financial institution wouldn’t you want to institute a SIM Swap check as part of your password reset process right now? It would not cost much and could save you tens of thousands in compensation for every victim based upon the above
- From using the SIM Swap data as TMT Analysis has for some time, it’s clear that not all operators count a recent ‘port in’ event (i.e. where a new subscriber has brought their number onto that operators’ network) as a SIM Swap. For the avoidance of fraud, shouldn’t we since that is precisely what is happening in these cases?
The mobile industry has already shown a commendable sense of responsibility to start to get a grip on this type of fraud, and many are tightening their security controls still further to remove the threat of being hacked or of rogue employees being able to help target individuals, but the industry is only as good as the weakest operator so more needs to be done to tackle this problem. As the FBI points out, it is still growing exponentially in the USA with growth of over 1000% in 2021 so clearly more action is still both needed and welcome.
If you would like to know more about how to protect your business from the dangers of SimSwap attack then please drop us a line to discuss our range of products that can protect your customers firstname.lastname@example.org