Mobile phones are our constant companions, probably the most ubiquitous technology items that exist today. And yet, the smartphones that we know and love have only really existed for around fifteen years. In terms of technology, the pace of progress has been relentless, something that was highlighted when Vodafone auctioned off the first-ever SMS message sent in 1992 as an NFT for charity, eventually raising £90,000.
The supercomputers in our pockets bear very few resemblances to the basic devices that fueled the rise of mobile communications back in the 1990s. But there is a legacy component that is still pivotal to today’s mobile phones: the SIM card. And it’s something of an Achilles’ heel.
What is SIM swap fraud?
Because SIM cards lead a separate existence from phones, they allow users to move to another device with ease. Unfortunately, it’s not only legitimate users who find that ease of transfer useful. Fraudsters and scammers can initiate illicit SIM swaps, transferring the victim’s phone number to their own SIM cards. Alternatively, they can hack into the SS7 network to intercept all the victim’s number communications.
Whichever approach they use, it means that they can read the SMS OTPs that banks and merchants commonly use as second-factor authentication – which in turn allows them to take over the account. They never even have to touch the victim’s device. Unfortunately, this isn’t a rare occurrence. On the contrary, it’s simple to do and happening with increasing frequency, one of the reasons why we are still talking about Account Takeover Fraud (ATO) in 2022.
Simple fraud, serious consequences
Smartphones have become an essential part of everyday life, and so has their use as authentication mechanisms. But whilst the phones have become more intelligent, the infrastructure and technologies that underpin haven’t kept pace and were never designed with rigorous security in mind.
Relying on SMS OTPs (one-time passwords) as an authentication factor essentially performs analog authentication in a digital realm. That’s a mismatch that carries the risk of serious consequences.
As well as being something that bad actors find straightforward to bypass, SMS is also one of the primary channels that scammers operate in and not only for SIM swap. SMS is a major attack vector for phishing and spear-phishing, often used by fraudsters to harvest credentials used in account takeover fraud (ATO).
It’s not the only area of vulnerability. Social engineering is rife; fraudsters will often call up a telco and try to convince them that they’re the legitimate account holder or just request a PAC to port the number over to a new network.
If they’ve obtained the genuine user’s details from a data leak, social media or simply just buying them on the dark web, there’s a good chance they’ll succeed.
The impact of SIM swap fraud
SIM swap fraud is traumatic and expensive for customers, and the way things stand is far too easy to fall foul of. Clicking on a single link in a message can have an instant, significant financial impact. That’s on top of the massive inconvenience of losing access to their phone number, a situation which can not only leave a victim incommunicado but potentially unable to even make an emergency call.
For businesses, the situation is every bit as severe. Defrauded customers have myriad channels available to them to express their dissatisfaction, and they seldom hesitate to do so – one of the reasons SIM swap fraud is headline news.
Any business that relies heavily on SMS OTPs as an authentication factor leaves itself and its customers open to attacks by threat actors that could be avoided. The reputational damage from fraud can weigh heavier than any revenue loss – 21% of consumers will stop using any business named in a scam.
Stabilizing the house of cards
SIM swap fraud has been around for a while, but it’s rapidly becoming the attack vector of choice in regions such as APAC. But although mobile technologies have quickly evolved in the last few years, the way SIM swap fraud operates is largely unchanged, and that’s good news: it means that there are ways to combat it.
The single most effective step that a business can take is to look at its authentication strategies. Usernames and passwords have long been recognized as inherently insecure and vulnerable to data leaks, credential stuffing and malware. That’s why most businesses now use multi-factor authentication.
But often, the second factor is SMS OTPs – which, as we see, are incredibly vulnerable to SIM swap attacks. Not only that, but it puts any organization in the dangerous situation of authenticating in the same channel that fraudsters operate in. It’s just not tenable.
This passive approach to authentication brings another vital boon: it dramatically reduces friction in the customer journey. It’s good to remember that SMS OTPs are not only insecure, they are an unwelcome extra step for users.
SIM swap fraud is avoidable. Fraudsters depend on businesses using outmoded technologies for authentication – essentially, using analog authentication in a digital world. Changing the technologies changes the game.
By Namrata Jolly, General Manager for Asia Pacific, Callsign