The Federal Bureau of Investigation (FBI) is warning about a big uptick in scams using smartphone SIM swapping to defraud victims.
Subscriber Identity Module (SIM) swapping is an old trick, but the FBI has issued a new alert about it because of a massive leap in reported cases in 2021 compared to previous years.
Smartphones are critical tools for authenticating to online services, such as banks that use SMS for sign-in codes. It is a serious problem – if crooks can gain control of these services, they can access the victim's bank, email, social media, and bank accounts. Complaints to the FBI's Internet Crime Complaint Center (IC3) have skyrocketed in the past year.
SEE: Cybersecurity: Let's get tactical (ZDNet special report)
From January 2018 to December 2020, the FBI received 320 complaints related to SIM-swapping incidents with losses of approximately $12 million. In 2021, it received 1,611 SIM-swapping complaints with losses of more than $68 million, the FBI warned in a new public service announcement.
Scammers abuse the support services of mobile network operator call centers by calling them and posing as customers to get a new SIM card. The victim doesn't know a new SIM card is connected to their phone number, which gives attackers the access they need.
"Once the SIM is swapped, the victim's calls, texts, and other data are diverted to the criminal's device. This access allows criminals to send 'Forgot Password' or 'Account Recovery' requests to the victim's email and other online accounts associated with the victim's mobile telephone number," the FBI's IC3 warns.
"Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim's number, now owned by the criminal, to access accounts. The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim's phone profile."
To improve security, many organizations use SMS messages as a form of multi-factor authentication because the account owner is assumed to have control over the device. Codes delivered via SMS are convenient because of high adoption and the belief that SMS is better than just relying on a password that can be compromised. SIM swapping is one way for crooks to circumnavigate this security.
As Microsoft and others have argued, SMS is an insecure and unreliable way to deliver codes for authenticating to online accounts. Microsoft wants organizations to use apps, such as its Authenticator, because they're a harder target to compromise.
The FBI details the many ways in which attackers can not only dupe but also entice employees of mobile network operators for nefarious goals. From the attacker's perspective, the rise of cryptocurrencies like Bitcoin and exchanges' reliance on phones for authentication adds to the appeal of SIM-swapping scams.
"Criminal actors primarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques," the FBI's IC3 says.
The attacker often impersonates a victim and tricks the mobile carrier's employees into switching the victim's mobile number to a SIM card in the criminal's possession.
"Criminal actors using insider threat to conduct SIM swap schemes pay off a mobile carrier employee to switch a victim's mobile number to a SIM card in the criminal's possession. Criminal actors often use phishing techniques to deceive employees into downloading malware used to hack mobile carrier systems that carry out SIM swaps," says the FBI's IC3.
SIM swapping is a real problem. T-Mobile in December confirmed SIM swapping was behind a major data breach. A former employee of a US mobile carrier was sentenced in October for taking bribes of up to $500 a day to swap phone numbers. Operators also lack procedures to help customers when they become victims of SIM-swapping scams, as detailed in a personal account in 2019 by ZDNet's mobile specialist Matthew Miller. It's a global problem for telcos, too. Australia's Telstra now flags to banks when a mobile number is ported to counter SIM-swapping attacks.
The FBI's tips for protecting yourself include:
- Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
- Do not provide your mobile number or account information over the phone to representatives that request your account password or pin. Verify who they really are by dialing the customer service line of your mobile carrier.
- Avoid posting personal information online, such as mobile phone number, address, or other personal identifying information.
- Use a variation of unique passwords to access online accounts.