Who would have thought that a simple phone number would become the gateway for cybercriminals? However, it is so. Let’s go in order.
For a few years (and recently there has been a resurgence as well) a computer scam called YES exchange which is based on mobile authentication. If the scam is successful, the thieves, by getting hold of your mobile phone number, will use it to access your sensitive personal data and even your bank account.
Table of Contents
HOW DOES THE SIM SWAP SCAM WORK?
Try logging into your account, which surely (after the PSD2 Directive regarding the security of online payments came into force) uses a two-step text-based authentication type. A complicated expression to say that, in essence, after entering the username and password (or owner code and pin, or similar combinations) the bank sends an access code to your mobile phone (also via SMS), so that it is possible to complete the login procedure.
What if scammers could change the SIM associated with your mobile phone? Simple: They would have full control over that number, and worst of all, they could receive the access code (or PIN) for your checking account.
From a technical point of view, cybercriminals take advantage of a weakness in two-step authentication and verification, where the legitimate SIM holder is expected to receive an SMS or a call to their mobile phone number.
Premise: the SIM contains the user data of mobile phones that use the GSM system. Without the SIM, the mobile phone would not be authorized to use the mobile network. For this reason, a cybercriminal with your phone number would already have an advantage. To steal it, scammers try to collect as much information about you as possible, even using “social engineering” techniques.
In practice, they call your mobile operator, posing as you, pretending to have lost or damaged your (ie your) SIM and asking to activate a new SIM (in your possession). In this way, your phone number is transferred to the fraudster’s device that contains, as we have just said, a new SIM. Alternatively, they may claim that they need help switching to a new cell phone.
HOW DO SCAMMERS ANSWER SECURITY QUESTIONS?
By various methods: Via phishing emails (it seems unbelievable but still today many are fooled by fake emails and provide sensitive data very lightly), searches on social networks, dark web or through malware / spyware installed more or less unknowingly on your PC.
Once you get your cell phone number, scammers can access communications between you and the bank, and most importantly, they can intercept text messages. This is how they get codes or password resets sent to that phone (more precisely: to that SIM) via phone call or text message for any of their accounts.
HOW DO CYBER CRIMINALS STEAL MONEY?
By setting up a second checking account in your name at your bank (where, as existing customers, checks might be “softer”), transfers between one account and another in your name may not raise any alarms.
I SOCIAL NETWORK AND LA TRUFFA SIM SWAP
A scammer can collect information about you through the data you first enter into your profile. Or in your posts. A bad idea is to use, as a security question, your date of birth or other data that anyone can easily trace (the name of the child, or the name of the house cat, etc.).
HOW DO YOU KNOW YOU ARE A VICTIM OF A SIM SWAP SCAM?
In some cases, red flags can be detected and prevent tech criminals from carrying out their attack. Are here:
1) Someone is Posting for You: Do you suddenly notice posts popping up on your social media accounts that you never dreamed of writing? It is a sign that someone has hacked into your account.
2) You can’t call or text: Aside from an obvious credit drain or major carrier issue, this is a sign of a high possibility that scammers have deactivated your SIM and are using your mobile number .
3) You are notified of a suspicious activity message: If your phone company warns you that your SIM or mobile phone number has been activated on another device, it is a clear sign that you have been attacked
4) You can’t sign in to your accounts: If your current account and credit card credentials no longer work, chances are they were stolen.
HOW CAN YOU PROTECT YOURSELF FROM SIM SWAP SCAMS?
There are several ways to avoid falling into sim swapping. Here are which ones:
Behaviors to stay online: Beware of deceptive emails and other ways criminals can try to access your personal data that would be used to convince your bank or phone company that you are the one making certain requests. Basically, never share information such as phone number, date of birth or other information on social networks, or in general on the web, which would be used by cybercriminals to “impersonate you” with the greatest possible credibility.
Account security:
Increase the security level of your mobile phone account with a single, very strong password and with more complex and less intuitive security questions and answers possible.
PIN:
If your phone company allows you to set a separate PIN, do so now. In this way you will have added an extra layer of security to your communications.
Identity:
Don’t build your identity authentication and security solely around your mobile phone number. This includes SMS, which are not encrypted.
Application for authentication:
To further increase the level of security, you can use applications such as Google Authenticator or Authy, which offers two-step authentication linked to your physical device and NOT your mobile phone number.
Hardware authentication:
It is probably the most secure to date, because it involves the use of physical keys that cannot be intercepted to log in to different services. One of these is Yubico, there is another one there Google Titan security key (not for sale in Italy yet)
Notices from the bank and the telephone company:
It is obvious that both are important, even more so if the latter can send you others related, for example, with the reactivation of a SIM.