SureCloud’s Principal Cybersecurity Consultant, Elliott Thompson was asked for his thoughts on the latest Which? Magazine investigation focusing on mobile phone SIMs.
Smartphones are a critical part of work and leisure for most of us today. We carry them with us everywhere. We use them to tap in and out of public transport, to pay for goods, to navigate around new places – and, of course, for online banking.
Which means that malicious cybercriminals have a whole new line of attack when it comes to stealing sensitive information. Elliott Thompson, our principal cybersecurity consultant, recently contributed to covering precisely this issue – in particular, a scam called ‘Sim-Swap Fraud’. Reports of this scam to Action Fraud have increased by 400% over the past five years.
At its core, Sim-swap fraud is very simple. Fraudsters seek to gain control of a user’s mobile phone number, either by swapping the victim’s number to a new Sim card on the same network, or by moving the number to a different network altogether by requesting the Porting Authorisation Code (PAC), which in legitimate circumstances enables users to move networks without losing their phone number.
As Elliott explained, perpetrators will typically begin by seeking out the answers to the security questions asked by mobile networks – such as the user’s birthday, place of birth or mother’s maiden name – so that they can present these to the mobile operator and gain control of the number. If they can’t access such information, they may try social engineering techniques such as claiming to have suffered a recent bereavement, to convince the mobile operator to grant them access anyway. Either way, they focus on gathering intelligence and then convincing the network that they are the owner of the number in question – at which point they can ask for the number to be switched to a Sim card that they own.
Once the phone number is compromised, an agile attacker can quickly use the ‘I’ve forgotten my password’ function online – say, on a banking website – which then sends a code to the phone number in question. Provided the criminal has already gathered other credentials, such as usernames, this could be the final piece of the jigsaw, enabling them to access a bank account.
End goals such as ‘inbox viewing’ and ‘social media account takeover’ are often advertised as products on the dark web, underlining just how commercialised some aspects of the cybercriminal world have become. A myriad of different tools and techniques are incorporated into these packages, with the perpetrators simply using anything at their disposal to accomplish the objective. Illicit Sim-swapping can be a hugely effective part of this. Our research suggests that such packages can cost as little as $100.
As with so much of cybersecurity, a number of factors need to come together to battle Sim-swap fraud effectively. Users who receive unexpected texts supplying their PAC, or warning that a Sim port is being processed should contact their network immediately. Unfortunately, as outlined in the Which? article, no mobile network currently offers a 24/7 customer services telephone helpline, although out-of-hours services can still put restrictions on users’ accounts in order to block unauthorised access.
Sometimes users may not notice that anything is wrong: however, until their phone unexpectedly loses service. In these instances, they should contact both their bank and their mobile network, just to be on the safe side.
But we can get more collaborative than this. As pointed out in the article, Mozambique now has a system in place whereby mobile networks flag to banks mobile numbers which have recently swapped Sims. This enables banks to carry out their own checks and cross-referencing. We need to see techniques like this taken up more broadly by major retailers and other online businesses. Whilst banks will typically require an additional level of verification beyond text and email, making them less susceptible to Sim-swapping, many e-commerce and digital businesses are not yet so stringent.
The cybersecurity landscape is constantly evolving, with new threats constantly developing. To combat them, companies and end-users need to work together to spot and escalate suspicious activity.
Elliott Thompson, one of SureCloud’s Senior Security Consultants, delivers on a variety of large and unusual pen-testing engagements. Elliott engages targets throughout Europe, Asia, and the Middle East through infrastructure testing and reverse engineering to physical, social engineering and red teaming. Elliott has also appeared on the BBC as a cybersecurity expert, is a CVE identifier, CHECK Team Leader and CREST Registered Tester.
Elliott is passionate about security and involved in various article pieces for Infosec Magazine, the BBC and the UK consumer watchdog Which?. Furthermore, last year Elliott discovered and disclosed an exploit on Android tablets, which allowed attackers full access to the device including access to the webcam, speakers and microphone.
SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.