Description of the Threat
As mobile number and SMS are increasingly used for two-factor authentication and one-time-password, hackers are trying to get the number ported to other SIM and have their way in with all personal online services. In the USA, these scams have doubled over the years: 2013 (1038), 2016 (2658) and currently the Spear Phishing -type attack is roaming in Africa.The generic attack vector is as follows:
1. Hacker acquires target’s usernames (on sale in different dark websites) for profitable accounts (Instagram, Bitcoin, Online banking, etc.)
2. Hacker collects other essential information from target’s public knowledge (mobile number, birthday, address, family members and their birthday information, etc.) or going through target’s trash bin (bank statements, bills, copies of passport, visa, ID cards, driving licenses)
3. With the above information, the hacker:
- Tries to break target’s mobile online service account and then swaps the number
- Tries to deceive mobile operators service personnel to swap the number to different a SIM
- Gets the target’s phone in his hands for a few minutes and orders the SIM swap
5. Hacker can reset the target’s account passwords using the mobile number as a recovery method
Some of the current online service providers take the mobile number as irrevocable credential and authorise significant transactions, e.g., money transfer, online payments, and username and password changes.
Protection
Protection against the above kind of Spear Phishing may be achieved with:
- Have all your essential devices protected by anti-virus, VPN and firewall.
- Do not download any apps or open unfamiliar pages with the device you are using for essential online services
- Ensure that your session happens with original account pages and not proxied, or man-in-the-middle created
- Keep the personal information that is used to answer security questions out from public access
- Use strong passwords (> 12 characters, a sentence that makes sense to you, replace letters with numbers, symbols and capitals), Do not use variations of the same passwords in different accounts.
- Harden your mobile phone management account. Most mobile operators provide stronger access management than just username and password.
- Use other numbers (another mobile number, VOIP-number) as trusted phone numbers in essential accounts.
- Use other strong authentication methods (if the service provider has options).
References:
1. https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
2. https://www.fin24.com/Finweek/Featured/the-rise-of-sim-swap-fraud-20170906
3. https://www.techjaja.com/sim-card-swap-fraud-explained/
4. https://www.quora.com/How-do-I-avoid-SIM-Swap-Frauds
5. https://motherboard.vice.com/en_us/article/zm8a9y/how-to-protect-yourself-from-sim-swapping-hacks