SIM Swap - The Silent Hacker

Written by

Mobile phone operators' infrastructures are coming under attack due to the 'fake news' that the new 5G networks, using Chinese technology, are the cause of the COVID-19 outbreak. As a result, over 126 masts have been burnt in recent weeks.

At a time of national crisis, the last thing needed is a large hole in our mobile network, as we rely so much on mobile phones, both for personal and business use.

This is precisely why the mobile device is a focus for hackers, as it holds so many forms of identification about individuals and their habits, such as which apps are used, time taken on a device, locations and even what fingerprinting of the device is running. This has led to a 220% increase since 2017 of SIM swap fraud.

The scam begins with a fraudster gathering details about the victim by using phishing emails, buying information from organized crime groups, via social engineering or, by obtaining the information following data leaks.

Once the fraudster has obtained the necessary details, they contact the victim's mobile telephone provider and by using social engineering techniques to convince the telephone company to port the victim's phone number to the fraudster's SIM, for example, by impersonating the victim and claiming they have lost their phone, they then ask for the number to be activated on a new SIM card.

SIM swap fraud is a type of account takeover that generally targets a weakness in two-factor authentication and two-step verification, where the second factor, or step, is an SMS or a call placed to a mobile telephone. The fraud centers around exploiting a mobile phone operator's ability to seamlessly port a telephone number to a new SIM.

Attacks like these are now widespread, with cyber-criminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS, but also to cause financial damage to victims.

The stealing of a phone number can cause considerable damage.  The fraudster may be able to trick automated systems, such as a bank, into thinking they are the victim when they call customer service. Worse still, they can use the hijacked number to break into work emails and documents.

Given that fraudsters target mobile phone numbers, any data loss that includes user contact details and phone numbers, provides an ideal mechanism to speed up any breach investigation, as a SIM swap can be the first identifier that a breach has happened.

As GDPR demands a notification within 72 hours of a breach being detected, searching millions of records is not practical, what is needed is to reduce the number down to a manageable size.

Traditional approaches in the investigation of a breach would involve ploughing through firewall and server logs to identify any unusual behavior. If the data is outside the corporate network, such as in the cloud or on a home workers PC, this becomes even harder with decisions taking longer to make if a data leak or theft has happened.

What is required is a SOAR (Security Orchestration, Automation and Response) platform to be configured to take the data which might have been stolen and perform automated tests to see if the data has been modified or is located in unusual places, such as the Dark Web. This process can reduce the total number of records under investigation to only those which match a change.

Our work has proven that we can reduce a ten million record database down to a manageable 20,000 records, which make the deeper investigation much simpler.

The SOAR platform can be designed to interrogate many different sources or datasets using Playbooks. A Playbook is a scripted flow which is designed to automate a search into a given area.  An example would be a third-party database, such as mobile phone carrier, to check a SIM status, such as ‘swapped’.

If a SIM swap has been identified, the platform may check other markers such as date of change. If this falls within the expected timeline of the data theft, the number and its corresponding record, can be pulled by the platform to enable more in-depth investigation, such as current location, who was it transferred to and if a third party is involved, such as a bank. If these markers indicate a positive change to the data, the platform takes the results and feeds back to the investigation team for further analysis.

The status of investigations can be added into a ticketing system by the SOAR platform, thus providing a recognized escalation process, ensuring decisions can be taken by the correct management and within timeframes, set possibly to meet any ICO notifications.

In the current climate, the speed of investigation will be essential. Without reducing the footprint of the data in question, doing things quickly becomes a challenge.

To automate the process and by having access to multiple datasets to check against is critical in winning the war against cybercrime and mitigating the possible fines for data loss, or indeed, paying a ransom when the data was not kidnapped in the first place.

What’s hot on Infosecurity Magazine?