For years, security analysts and researchers warned about fraudsters’ increasing use of SIM-swapping techniques to target smartphones and other mobile devices, with the aim of compromising and taking over customer accounts. In turn, these threats boost the likelihood of identity and financial theft, especially as consumer banking has moved largely online.
A recent FBI report shows how pervasive these types of attacks have become.
The bureau’s Internet Crime Complaint Center reported that agents recorded about 1,600 SIM-swap complaints in 2021, with losses totaling about $68 million. By comparison, in the three years prior, the FBI received a combined 320 complaints, with losses to consumers estimated at $12 million.
SIM swapping is a well-worn technique that typically involves convincing a mobile operator's customer service employee to move a cellphone number to a different SIM card (a swap) or port it to another carrier. In other cases, fraudsters deploying phishing techniques or a malicious insider can provide company and customer data to cybercriminals.
Whatever the specific technique, once the number is moved, cybercriminals and fraudsters can access various accounts by simply requesting account information and other details from specific services without alerting the victim.
“Once the SIM is swapped, the victim's calls, texts, and other data are diverted to the criminal's device. This access allows criminals to send 'Forgot Password' or 'Account Recovery' requests to the victim's email and other online accounts associated with the victim's mobile telephone number,” according to the FBI report.
A driver of this increase in SIM-swapping attacks is fraudsters and cybercriminals attempting to steal cryptocurrency. The past 18 months have included several examples of these types of fraud. In April 2021, the U.S. Justice Department announced that a Massachusetts man pleaded guilty to belonging to a group that used SIM-swapping techniques to take over social media accounts, stealing about $530,000 in virtual currency.
It’s incidents such as these that lead the Justice Department in February to announce the creation of a National Cryptocurrency Enforcement Team, which is specifically designed to target criminal acts and frauds related to virtual currency.
These types of attacks are also not limited to the U.S. In February, Spanish police busted a cybercriminal ring that used SIM-swapping techniques to target victims’ bank accounts, according to various published reports.
While many of the recent headlines and reports about SIM-swapping attacks have focused on consumer victims, security experts warn that enterprises also need to be aware that cybercriminals, fraudsters and others can use similar techniques to target business data and networks.
Since SMS messages are still frequently used as part of the two-factor authentication process, fraudsters and cybercriminals can use SIM-swapping to target enterprise data with the same methods used to conduct account takeovers of consumers’ bank accounts, said Casey Ellis, the founder and CTO at Bugcrowd.
“Given SMS is still commonly used as a second factor for authentication, an obvious threat to corporations is the use of SIM swapping to gain access into the corporate network, either directly or through social engineering,” Ellis told Dice.
At a time when many employees continue to work remote and rely more on smartphones and other mobile devices to perform their jobs, fraudsters using SIM-swapping techniques that target two-factor authentication can access both personal data as well as enterprise-level data on the same device, said Hank Schless, a senior manager for security solutions at Lookout, which focuses on mobile security.
“As more organizations embrace a BYOD model, the line between work and personal devices is getting blurrier. This risk highlights how critical it is to have visibility into unauthorized access to corporate apps and infrastructure. If an attacker can gain access to an employee’s account through a successful SIM swap, they could use that as their entry point to the rest of the [corporate] infrastructure,” Schless told Dice.
Besides data that might reside on a single device, a successful SIM-swap attack could also allow fraudsters to move laterally within a compromised network, especially as more corporate apps have moved to the cloud.
“When using a legitimate account as their entry point, attackers have a greater chance of silently moving laterally around the infrastructure and exfiltrating or encrypting valuable data without being detected,” Schless said. “The nature of this attack chain, which goes from the mobile endpoint all the way to cloud-based apps and data, demonstrates how important it is to leverage modern security platforms that grant your organization visibility into everything across mobile, cloud and on-premises assets.”
An Ounce of Prevention
At the minimum, IT and security professionals should limit the number of personal mobile devices that employees bring onto corporate networks. At the same time, passwords used for home or personal devices should not be recycled for enterprise-level access, said Bud Broomhead, CEO at security firm Viakoo, which focuses on internet of things security.
“Ensuring that employees are not using personal passwords in their work environment can help to reduce the possibility of compromise, but the blurred lines between work life and home life are making it easier for cybercriminals to perform exploits aimed at enterprise systems and data,” Broomhead told Dice.
Businesses should also look at other ways to authenticate employees’ identity to ensure proper enterprise-level access to corporate data. “Enterprises should be more focused on multi-factor authentication involving biometrics - fingerprints, facial recognition and retina scans - to authenticate employees, not methods that rely on devices,” Broomhead added.