Large-scale SIM swap fraud
SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud centers around exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM. This feature is normally used when a customer has lost or had their phone stolen. Attacks like these are now widespread, with cybercriminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS but also to cause financial damage to victims.
If someone steals your phone number, you’ll face a lot of problems, especially because most of our modern two-factor authentication systems are based on SMSs that can be intercepted using this technique. Criminals can hijack your accounts one by one by having a password reset sent to your phone. They can trick automated systems – like your bank – into thinking they’re you when they call customer service. And worse, they can use your hijacked number to break into your work email and documents. And these attacks are possible because our financial life revolves around mobile apps that we use to send money, pay bills, etc.
Mobile payments are now huge in developing countries, especially in Africa and Latin America. Mobile phone-based money transfers allow users to access financing and micro-financing services, and to easily deposit, withdraw and pay for goods and services with a mobile device. In some cases, almost half the value of some African countries’ GDP goes through mobile phones. But nowadays these mobile payments are suffering a wave of attacks and people are losing their money – all powered by SIM swap fraud conducted on a major scale.
Like many other countries, Brazil and Mozambique had a high rate of SIM swap fraud. Both countries speak the same language (Portuguese) and were facing the same problem. By using social engineering, bribery, or even a simple phishing attack, fraudsters take control of customers’ phone numbers in order to receive mobile money transactions, or to collect the home banking OTPs to complete a transfer of funds or steal users’ money. In Mozambique this sort of crime was all over the national news, with the media questioning the integrity of the banks and mobile operators, suggesting they may be colluding in the scams. The reputation of the banks and operators was at stake; something urgent needed to do be done to protect their customers.
In Brazil the problem was affecting not only average citizens but also politicians, ministers, governors and high-profile businessmen. Online banking customers were also experiencing losses from their accounts. One organized gang alone in Brazil was able to SIM swap 5,000 victims. At Mozambique’s largest bank they had a monthly average of 17.2 cases of SIM swap fraud; the true impact nationwide is difficult to estimate as most banks don’t publicly share statistics. As was the case in Brazil, some of the victims were high-profile businessmen who had up to US$50,000 stolen from their bank accounts.
In Mozambique a nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. This new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was an immediate reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and is considering making it mandatory for all banks.
In this article we’ll detail how very organized cybercrime developed their own ecosystem of fraud and how Mozambique was able to solve the problem of money being stolen in SIM swap fraud schemes, where mobile payments are an essential part of everyday life.
How the cybercriminals do it
The scam begins with a fraudster gathering details about the victim by using phishing emails, by buying information from organized crime groups, via social engineering or by obtaining the information following data leaks. Once the fraudster has obtained the necessary details they will then contact the victim’s mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim’s phone number to the fraudster’s SIM, for example, by impersonating the victim and claiming they have lost their phone. They then ask for the number to be activated on a new SIM card.
After that the victim’s phone loses its connection to the network and the fraudster receives all the SMSs and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls made to the victim; all the services that rely on an SMS or telephone call authentication can then be used.
We have found that some of the processes used by mobile operators are weak and leave customers open to SIM swap attacks. For example, in some markets in order to validate your identity the operator may ask for some basic information such as full name, date of birth, the amount of the last top-up voucher, the last five numbers called, etc. Fraudsters can find some of this information on social media or by using apps such as TrueCaller to get the caller name based on the number. With a bit of social engineering they also try to guess the voucher amount based on what’s more popular in the local market. And what about the last five calls? One technique used by the fraudsters is to plant a few ‘missed calls’ or to send an SMS to the victim’s number as bait so that they call back.
Sometimes the target is the carrier, and not the customer. This happens when a carrier’s employees working in branches in small cities are sometimes unable to identify a fraudulent or adulterated document, especially branches located in kiosks or shopping malls, allowing a fraudster to activate a new SIM card. Another big problem is insiders, with some cybercriminals recruiting corrupt employees, paying them $10 to $15 per SIM card activated. The worst attacks occur when a fraudster sends a phishing email that aims to steal a carrier’s system credentials. Ironically, most of these systems don’t use two-factor authentication. Sometimes the goal of such emails is to install malware on the carrier’s network – all a fraudster needs is just one credential, even from a small branch from a small city, to give them access to the carrier’s system.
How much does a SIM swap of your number cost? It depends on how easy or hard it is to do. It’s easier with some carriers than others. A SIM swap for a famous celebrity or a politician can cost thousands of dollars. These are the prices stated on Brazilian underground forums, or occasionally on closed Facebook communities:
|Carrier A||Carrier B||Carrier C||Carrier D||Carrier E|
The interest in such attacks is so great among cybercriminals that some of them decided to sell it as a service to others. Normally, a criminal can conduct an attack in two or three hours without much effort, because they already have access to the carrier’s system or an insider.
Brazil has a very organized cybercrime scene, and it’s only natural that its actors will export their techniques and tactics to their fellow cybercriminals acting in other countries, especially in other Portuguese-speaking countries (Portugal, Mozambique, and Angola).
Falling victim – me too
The fraudsters fire in all directions; sometimes their attacks are targeted, sometimes they’re not. All a fraudster needs is your number, and it’s very easy to find it by searching through leaked databases, buying that database from data brokers (some of them are legal), or using apps like TrueCaller and other similar apps that offer caller ID and spam blocking, but which also have some privacy issues and a name-based search for subscribers. Sometimes your number can be found by simply doing a Google search.
The first sign that something is not quite right is when you lose your smartphone signal somewhere that normally has a strong signal. In a hotel last year while on a business trip my corporate smartphone suddenly lost its mobile connection, with no data or calls for about 30 minutes. I tried to solve the problem by connecting to any available network (I was using roaming so it wasn’t a problem), but all of them rejected my device:
As a final resort, I tried rebooting the device and connecting it again, with no success. After that I decided to call (using VoiP) the carrier I’m a customer of to find out what was going on. The operator told me someone had reported my number as “lost or stolen” and asked to activate it on another SIM card. This came as no surprise at all, because the number of victims in Brazil reporting the same problem is growing considerably. What was most surprising was the ease with which the employee gave me this information, as though it was nothing critical, suggesting it was a common occurrence for them. I immediately informed the operator about the ownership of the number, confirmed some personal information and the problem was quickly resolved.
Anyone can be a victim.
Brazil: extortion, WhatsApp and fintechs
WhatsApp is the most popular instant messenger in a number of countries where the app is used by Brazilian fraudsters to steal money in an attack known as ‘WhatsApp cloning’. After a SIM swap, the first thing the criminal does is to load WhatsApp and all the victim’s chats and contacts. Then they begin messaging the contacts in the victim’s name, citing an emergency and asking for money. In some cases, they feign a kidnapping situation, asking for an urgent payment – and some of the contacts will send money.
Brazilian TV has reported on several such cases, with one family losing US$3,000. Some of the attacks targeted companies, with executives supposedly contacting their financial departments asking for funds, when in fact it was fraudsters using WhatsApp accounts hijacked in a SIM swap. It’s like a BEC (Business E-mail Compromise) but using your WhatsApp account.
The fintech boom in Brazil started with companies offering credit cards and bank accounts with no fees, especially after the successful launch of Nubank in 2013. Since then, similar solutions have emerged, such as Banco Inter, Next, Digio and Neon, most of them tied to a digital account. Most of them still rely on two-factor authentication via SMS. The ease with which a SIM swap can be performed helped fraudsters find new ways of emptying users’ banking accounts. That’s what happened to the customers of popular Brazilian fintech meupag!, according to a report by Gizmodo Brasil.
The fraudsters performed a SIM swap, activating the victim’s number on another SIM card. Then, on a smartphone with the pag! app installed, the fraudsters used the app’s password recovery function and a code was sent via SMS, allowing the bad guys to gain total control of the user’s account in the app. Once this access is obtained the fraudsters performed several illegal payments with the credit card issued in the app in the name of the victim. Some victims reported losses of US$3,300 in fraudulent transactions.
Mozambique: bribery, banks and a solution
Mobile payments are huge in African countries. Traditional banks are not accessible in rural areas where poor farmers would literally have to walk hundreds of kilometers to reach the closest branch. Mobile operators saw this gap and took the opportunity to invest and diversify their business into micro-finance services and reach areas where there is mobile coverage – all that’s required is a basic mobile phone.
Mobile payment systems like M-Pesa have made a huge impact in Africa. In Mozambique approximately US$5 billion per year is transacted through this platform which corresponds to approximately 41% of the country’s GDP, and in more mature and populated markets like Kenya it goes up to US$33 billion or 48% of the total GDP volume.
Most local banks rely on a one-time password (OTP), with many preferring not to use physical or software tokens as this increases the cost and complexity for customers, especially those on low incomes. The banks therefore try to keep it simple, using an SMS as the second factor. This shows that, perhaps without them even realizing it, they share the responsibility of securing their customers’ bank accounts with the mobile operators.
Mobile fraud on the rise
With financial inclusion services prospering in Africa, the flip side is that it opens a world of opportunities to fraudsters. The population’s technological literacy is very low, especially those on lower incomes. Remarkably, many of the fraudsters are prisoners who somehow have access to mobile phones and a lot of spare time on their hands.
Most SIM swap frauds operate in the same way. There are syndicates that identify and collude with employees from the banks and mobile operators. The bank employee is responsible for providing information about an account balance and detailed information about the victim. Armed with this information, the fraudsters conduct a phishing or SMmiShing attack to gain access to the victim’s online banking account and its verification codes.
In the second part of the attack, since the banks use SMS for their OTPs, the criminals need to conduct a SIM swap or SIM card hijacking to redirect all the victim’s communications to a new SIM card that’s in their possession. To achieve this, these syndicates rely on some cooperation from mobile operator employees, though the latter can be easily tracked down and detained. This is why the criminals mostly make use of forged documents that are required by the operator for the SIM swap and present them at mobile retail stores as part of a fraudulent request for a new SIM card. The staff at these stores often don’t have sufficient training to detect forged documents, and even if they do, sometimes the documents are authenticated by an official notary who has been bribed.
Since a phone number can only work on one SIM card at a time, the victim’s original SIM card is immediately blocked and, voilà, the fraudster now has control of the victim’s mobile communications.
The solution adopted in Mozambique
A nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. The new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was a drastic reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and now wants to make it mandatory for all banks.
When a SIM card is hijacked there’s a good chance the fraudster will attempt to transfer funds from the bank account within minutes of the SIM swap to prevent the original owner from having enough time to complain to the mobile operator and regain control of the number.
After a subscriber’s number is blocked following a SIM swap, the victim usually thinks there’s a network problem and only when they realize that other people nearby still have a network connection do they decide to contact the call center from another phone or physically go to a retail shop to find out what is going on. There have been cases like Fabio’s above in which the fraudsters know the victim and wait until the target travels to another country so that it’s even harder for the person to go to a retail store and regain control of the mobile number. If the user has not turned on roaming, they typically only regain control of their numbers within one or two days.
How the solution works
All mobile operators in Mozambique made a platform available to the banks on a private API that flags up if there was a SIM swap involving a specific mobile number associated with a bank account over a predefined period. The bank then decides what to do next.
Most banks block any transaction from a mobile number that has undergone a SIM card change within the last 48 hours, while others opt for the longer period of 72 hours. This period of 48-72 hours is considered a safe period during which the subscriber will contact their operator if they have fallen victim to an unauthorized SIM card change.
There’s also the possibility that the mobile owner has legitimately changed their SIM card, and therefore unable to perform an online transaction for the next 48 hours. In such cases, some of the banks we spoke to have a process that requires face-to-face verification in a branch office – a reasonable compromise in the circumstances.
- The banks are connected to different mobile operators through a VPN connection so that all traffic is secure.
- The online banking system conducts a REST API query to the respective mobile operator giving the mobile number (MSISDN) and the period (24-72 hours) as arguments.
- The mobile operator simply returns in real time: True or False.
- If the query is False, the bank allows the transaction as normal. If True, the bank blocks the transaction and may request additional steps to verify the transaction.
It is important to reiterate that the mobile operator does not share personal identifiable information (PII) with a third party, in this case banks. The national regulator for communications deemed the sharing of non-identifiable information by operators with the banks to be a case of national interest.
Once the platform was implemented, the level of online banking fraud stemming from SIM swap attacks fell dramatically, with almost no cases involving banks that have implemented the anti-SIM swap platform. As a result, we saw an increase of WhatsApp hijacking in Mozambique, similar to what happened in Brazil.
Conclusion: how not to be the next victim
Voice and SMS must be avoided as authenticity mechanisms
Mobile operators rely on legacy protocols for communication such as Signaling System No. 7, or SS7, which was initially developed in the 1970s. This protocol has security flaws that allow the interception of SMS messages or voice calls. By today’s standards the phone/SMS is no longer considered a secure method of authenticity if you want to protect high-value information such as bank accounts. An attack on Reddit in 2018 was a wake-up call for most companies.
The National Institute of Standards and Technology (NIST) in the USA explicitly deprecated the use of SMS for 2FA in a special publication, stating:
“Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.” (NIST 800-63B)
Some banks use software tokens that can be bound to a phone IMEI number (unique identifier); however, the difficult process of enrollment and maintaining changes, for example, when the user replaces the phone, deter many financial institutions.
When possible, we recommend users avoid two-factor authentication via SMS, opting instead for other ways, such as generating an OTP in a mobile app (like Google Authenticator) or using a physical token. Unfortunately, some online services don’t offer an alternative; in that case, the user needs to be aware of the risks.
The new era of biometrics
Some operators have implemented additional security mechanisms that require the user to authenticate through voice biometrics using a passphrase such as “my voice is my password” – the technology works reasonably well, even detecting if the voice is a recording, or if the user has flu. However, the major stumbling block that we observed is the very low enrollment base. Besides, it’s considered an expensive solution, especially for emerging markets, and requires some additional effort to integrate with backend systems.
Automated SMS: “Your number will be deactivated from this SIM card.”
When a SIM change is requested, operators can implement an automated message that’s sent to the number alerting the owner that there’s been a SIM change request and if it’s not authorized, the subscriber must contact the fraud hotline. This will not prevent the hijacking itself, it will instead alert the subscriber so that they can respond faster in the case of malicious activity. The main drawback is that the subscriber may be outside the coverage area.
Some carriers have implemented an additional layer of confirmation for any case of SIM activation, offering the option of configuring a password in their systems. This password will be required for any changes associated with your number, such as big changes in your monthly bill or even when you need a new SIM card. Talk to your carrier to check if they already offer this additional security for your number.
As we mentioned above, some processes contain weaknesses, especially in emerging markets. It’s important to dissect all the stages of the process and understand what the underlying weaknesses are. In the case of Mozambique, there’s a thriving black market that makes it possible to obtain fake documents. These documents can then be presented to operators as proof of identity for SIM swaps.
Activate 2FA on WhatsApp
To avoid WhatsApp hijacking, it’s of paramount importance to activate 2FA using a six-digit PIN on your device. In the event of hijacking, you’ll have another layer of security that is not so easy to bypass.
Request your number be unlisted from TrueCaller and similar apps
TrueCaller is a crowdsourced phone book. It allows people to be identified through their mobile number. However, as we mentioned before, fraudsters use this tool to find out more information about you. You can, and should, request that your number is unlisted from this global phone book.
Despite the fact that attacks on 2FA with the use of tools such as Evilginx are becoming more sophisticated, software tokens still provide a reasonable level of security by today’s standards. Whilst there is no silver bullet solution, we believe that declaring the death of SMS-based 2FA is the way to go. This is especially true when it comes to online banking, social media and email services.
Incoming search terms