What is it and what can you do to avoid ‘SIM swapping’, the cyberattack that causes havoc and allows bank accounts to be emptied
If your mobile phone stops having coverage, be afraid: a new phone fraud known as ‘SIM swapping’ It is being used for a cyber attacker to duplicate our phone number and use that system to usurp our identity, authenticate himself in our bank and steal all the money from us.
There are already victims of a fraud that has been used for other purposes: Jack Dorsey, co-founder of Twitter, had his account on the service stolen with the same system, which once again reveals the weakness of mechanisms such as SMS messages for two-step authentication systems. They were a good option originally, but as we said in the past, it is much more advisable to use independent authentication applications, and not SMS, which are increasingly vulnerable in this area.
Be careful, this horror story could happen to you
In El País they recently told a case in which a user was suddenly without coverage. He turned off the mobile, turned it on again and nothing. When he returned home he called his operator from another mobile, and it turned out that someone had impersonated him to request a duplicate of your SIM card at an operator store in another city.
Yesterday I suddenly lost my mobile line.
Call to @vodafone_es and they did not solve anything: “There is an incident in the network”, “Your line works perfectly”, I insisted on the problem and nothing.
When I left the cinema, I was still without a line. When I got home, my checking account had been emptied.
– Otto Más 🐉 (@Otto_Mas) September 5, 2019
That alerted the user, who quickly went to check his bank account and found that it was blocked. His entity had detected strange movements, thousands of euros had disappeared and he had a loan requested in his name worth 50,000 euros. A real disaster that according to Civil Guard officials perfectly responds to this upward trend in SIM swapping cases.
Yesterday a new and worrying case of this type of case emerged again: a Twitter user, Otto Más (@Otto_Mas) recounted very similar events. He stopped having a line on his mobile with a Vodafone contract and when he returned home he connected the mobile to the WiFi and realized that “they had emptied my checking account“at Banco Santander.
Someone had duplicated his mobile line and with the confirmation SMS he had made various transfers “taking the money little by little”. He was able to cancel the transfers and lock the account after several hours on the phone with them, although he complained about the poor response of his operator, who criticized the few security measures required for those who requested a duplicate SIM card.
There are two clear problems here: first, that ordering a duplicate SIM is relatively easy. Second, the use of SMS as a system for approaching two-step or two-factor authentication (2FA) has long been vulnerable to various attacks, and this is only the last -but probably the most worrying- of all of them. .
SIM swapping makes it possible to impersonate anyone, including the CEO of Twitter
This technique allows circumvent security measures that place the mobile phone as an instrument for verifying our identity, and that is dangerous as we have seen in the economic sphere, but also in many other scenarios.
We’re temporarily turning off the ability to Tweet via SMS, or text message, to protect people’s accounts.
— Twitter Support (@TwitterSupport) Sep 4, 2019
It was shown these days when Twitter co-founder and CEO Jack Dorsey suffered a similar attack that caused his Twitter account to suddenly (@jack) offensive and racist messages will appear which were later eliminated.
The problem was due to that identity theft that caused a telephone operator in the United States – it is not specified which one – allowed the attacker to obtain a duplicate of Dorsey’s SIM, which in turn allowed this attacker use the function of posting on Twitter via SMS messages That was one of the original features of the service.
Offensive messages provoked an immediate reaction in Dorsey, who announced that Twitter disabled the sending of messages to the platform via SMS.
The solution is in our hands (but also in that of the operators and banks)
As we said before, the problem with this cyber attack – which is not the only one that affects SIM cards – is that it has two very separate faces, both with their own interdependent solution: if both are not solved, the problem will still be present.
The first is in those who handle that information, the operators, who should be much more demanding when it comes to providing duplicates of a SIM card. Identity checks here must be thorough to avoid the problems that have occurred with these cases.
Banks, financial institutions and any other platform that continues to use SMS as a two-step authentication system also have pending duties. It is a popular and comfortable method, but as we have seen it has been very vulnerable for some time, as pointed out by security expert Bruce Schneier. It is for this reason that all these companies should eradicate SMS from their two-step authentication systems and use other alternatives.
Among the most recommended right now are the authentication applications that replace SMS and that can be installed on our mobiles. Microsoft Authenticator, Google Authenticator o Authy They are among the best known, and if we can use them -the platform we work with must support that option- they are much more secure than authentication via SMS.
Even more interesting are the U2F keys (Universal 2nd Factor keys), an open authentication standard that makes use of physical keys and whose latest implementation is the FIDO2 standard. Manufacturers like Yubico are well known for these solutions, but even Google recently wanted to enter this segment with its Titan Security Keys, although it recently announced that an Android phone could also become a security key.
Imagen | Andrey Metelev