SIM swap, the computer fraud that can empty your current account

Who I am
Martí Micolau
@martímicolau
SIM swap, the computer fraud that can empty your current account

What is it and what can be done to prevent it

Who would have thought that a simple phone number would become the gateway for cybercriminals? Yet it is so. Let's go in order.





For some years (and recently there has also been a resurgence) a computer fraud called YES swap which is based on mobile authentication. If the scam is successful, the thieves, by taking over your mobile number, will use it to access your sensitive personal data and even your bank account.

Here's where you can buy your new smartphone at the best prices

How does the SIM swap scam work?

Try to log into your account, which surely (after the entry into force of the PSD2 directive regarding the security of online payments) uses a type of two-step text-based authentication. A complicated expression to say that, in essence, after entering the username and password (or owner code and pin, or similar combinations) the bank sends an access code to your mobile phone (also via SMS), so that it is possible complete the login procedure.

What would happen if scammers were able to change the SIM associated with your mobile phone? Simple: they would have total control over that number and, worst of all, they could receive the access code (or PIN) of your checking account.

From a technical point of view, cybercriminals take advantage of a weakness in two-step authentication and verification, where the legitimate SIM owner is expected to be sent an SMS or a call to their mobile number.

Premise: the SIM contains the user data of mobile phones that use the GSM system. Without the SIM, the mobile phone would not be authorized to use the mobile network. For this reason, a cybercriminal with your phone number would already have an advantage. To steal it, scammers try to collect as much information about you as possible, even using "social engineering" techniques.



In practice, they call your mobile operator, posing as you, pretending to have lost or damaged their (i.e. your) SIM, and asking to activate a new SIM (in their possession). In this way, your phone number is brought to the scammer's device which contains, as we have just said, a new SIM. Alternatively, they may claim that they need help switching to a new cell phone.

InformaticsKings Mobile: 4G technology and up to 150 Mbit speed, discover the new offers in detail!

How do scammers answer security questions?

By various methods: through emails from Phishing (it seems incredible but still today many are deceived by fake emails and provide sensitive data very lightly), searches on social networks, on the dark web or through malware / spyware installed more or less unknowingly on their PC.

Once you get your mobile number, scammers can access communications between you and the bank, and most importantly, they can intercept text messages. This is how they receive codes or password resets sent to that phone (more precisely: to that SIM) via phone call or text for any of your accounts.

How do cybercriminals steal money?

By setting up a second current account with your name in your bank (where, being already customers, the checks could be "softer"), and the transfers between one account and another with your name may not raise any alarm.

Social networks and the SIM swap scam

A scammer can collect information about you through the data you first enter in your profile. Or in your posts. A bad idea is to use, as a security question, your date of birth or other data that anyone can easily trace (the name of the child, or of the house cat, etc.).



How can you tell that you are a victim of a SIM swap scam?

In some cases, warning signs can be detected and the techno-criminals prevented from carrying out their attack. Here they are:

1) Someone is posting for you: Suddenly you notice that posts appear on your social accounts that you never dreamed of writing? It is a sign that someone has hacked your account

2) You cannot call or text: Apart from an obvious credit run out or major operator trouble, this is a sign of a high possibility that scammers have deactivated your SIM and are using your mobile number

3) You are notified of a suspicious activity message: if your phone company warns you that your SIM or mobile number has been activated on another device, it is a clear sign that you have been targeted

4) You can't log in to your accounts: If your current account and credit card credentials no longer work, it is very likely that they have been stolen from you.

How can you protect yourself from SIM swap scams?

There are several ways to avoid becoming a victim of cyber-crooks. Here are which ones:

- Attitudes to keep online: Beware of deceptive emails and other ways that criminals may try to access your personal data which would be used to convince your bank or telephone company that you are the one making certain requests. Basically, never share information such as telephone number, date of birth or other data on social networks, or in general on the net, that would be used by cybercriminals to "impersonate" you with as much credibility as possible.

- Account security: Increase the level of security of your mobile phone account with a single very strong password and with security questions and answers that are more complex and less intuitive as possible

- PIN: If your telephone company allows you to set a separate PIN, do so now. This way you will have added an extra layer of security to your communications.

- IdentityDo not build your security and identity authentication solely around your mobile number. This includes SMS, which are not encrypted.

- Authentication app: to further increase the level of security you can use apps such as Google Authenticator o Authy, which offers two-step authentication linked to your physical device and NOT your mobile number.

- Hardware authentication: It is probably, to date, the safest, because it involves the use of physical keys that cannot be intercepted to log in to the various services. One of these is Yubico, another is there Titan Security Key by Google (not yet on sale in Italy)

- Notices from the bank and the telephone company: it is obvious that they are both important, even more so if the latter can send you further ones concerning, for example, the reactivation of a SIM.

And if you want to buy a new mobile phone, here you will find the best prices and the latest news

Audio Video SIM swap, the computer fraud that can empty your current account
add a comment of SIM swap, the computer fraud that can empty your current account
Comment sent successfully! We will review it in the next few hours.