SEC’s Twitter Breach Illustrates Urgency in Defending Against SIM Swap Attacks
Earlier this month, the U.S. Securities and Exchange Commission attributed a breach of its official account on X (formerly Twitter) to a SIM swap attack. On January 9, an unauthorized party gained control of the @SECGov account and posted an announcement that falsely claimed that the agency had approved the first-ever spot bitcoin exchange-traded funds (ETFs).
Subsequently, the cryptocurrency market experienced significant fluctuations, with bitcoin prices initially surging to nearly $48,000 from a daily low of just above $45,000. However, once the SEC clarified that it had not yet approved the Bitcoin ETF, prices rapidly dropped below $46,000.
Following the incident, and after a two-day evaluation in collaboration with the SEC's telecom carrier, it was concluded that an unauthorized party had gained control of the SEC cell phone number linked to the account through what appeared to be a SIM swap attack.
A SIM swap attack occurs when a phone number is moved to another device without the owner's consent, granting unauthorized access to SMS messages and voice calls meant for the victim.
After gaining control of the phone number, the unidentified individual proceeded to reset the account password. Due to the absence of multi-factor authentication (MFA) on the SEC account, the SIM swap and subsequent password change were the sole steps required to attain complete access to the agency's account.
What’s especially notable about this attack is not just the brazen nature of it – attacking one of the world’s most important financial regulatory organizations (the SEC oversees and governs more than $350 trillion in fixed income, equity trading, and other financial transactions). Rather, the ease with which these fraudsters applied the SIM swap attack indicates the issue should be a top concern for all organizations.
The Growing SIM Swap Problem
According to the FBI’s 2022 Internet Crime Report, incidents of SIM swap fraud reached unprecedented levels, impacting more than 2,000 individuals and causing losses exceeding $72 million. This represented a 25% increase compared to the 1,600 cases reported in 2021.
Consumer complaints regarding SIM swapping fraud submitted to the FCC and FTC are consistently escalating each year. In a noteworthy case from early 2022, approximately 6,000 TracFone customers experienced the transfer of their numbers to other carriers, resulting in some customers losing access to their numbers for up to 12 days.
While mobile carriers and law enforcement agencies are working to adapt to these threats, attackers are simultaneously elevating the sophistication of their methods. The advancement of porting attacks, which are a type of fraud where fraudsters use call porting to take over the online accounts (banking, crypto, etc.) of victims, can be attributed to factors such as the availability of personal data on the dark web, the utilization of social engineering tactics, and deficiencies in current porting procedures.
How a SIM Swap Attack Occurs
To get the gist of the mechanics of a SIM swap, it's essential to first understand the function of a SIM card. A Subscriber Identity Module (SIM) card is a small electronic chip utilized in mobile devices, including smartphones, tablets, and some other connected gadgets. Essentially, it functions as a portable memory chip securely storing information necessary to identify and authenticate a subscriber on a mobile network.
The primary role of a SIM card is to establish a connection between the mobile device and the cellular network provider. It contains crucial data, including the subscriber's unique identification number, authentication keys, network authorization details, and other pertinent information. This data is integral for the network to recognize and validate the subscriber, granting them access to voice, messaging, and data services.
Upon inserting and activating a SIM card in a compatible device, it allows the device to connect to a specific cellular network. This connection empowers the user to make calls, send messages, and access the internet using the services provided by the network. SIM cards also facilitate features such as roaming, permitting subscribers to use their devices on other compatible networks during international travel.
Initiating a SIM swap typically involves the attacker initially collecting personal information about the victim, including their full name, date of birth, address, and other details, employing methods such as social engineering, phishing, or exploiting data breaches, as explained below.
Armed with this personal data, the scammer proceeds to contact the victim's mobile network provider, assuming the victim's identity. They claim to have lost their phone or SIM card and request the transfer of their number to a new SIM card. The attacker may present stolen personal information to persuade the provider to initiate the transfer. Additionally, instances have been documented where phone carrier employees, motivated by bribes, engage in illegal SIM swaps.
Once the mobile carrier accepts the attacker's assertions and transfers the victim's phone number to the new SIM card, the attacker gains control over the victim's phone number. This enables them to intercept calls, text messages (particularly those containing one-time passwords), and other communications directed to the victim's phone number.
SIM swapping scams pose a significant security threat, as they empower attackers to seize control of a victim's digital identity, compromise their accounts, and engage in financial fraud or other malicious activities.
Stopping SIM Swap Account Takeovers
To counteract Account Takeovers (ATOs) facilitated by SIM swap attacks, organizations need to protect passwords and One-Time Passcodes (OTPs) by actively assessing the legitimacy of transactions in real time. This involves leveraging phone number intelligence and associated trust indicators.
Numerous organizations in the financial services sector, as well as other vertical markets, depend on the Prove Identity® digital identity verification solution. This system employs a phone-centric identity approach that analyzes signals from the core telephony infrastructure, exclusive data sources, and Prove's extensive 15+ years of phone intelligence. By evaluating risks based on the historical activity of a phone number, it determines user validity, thwarting fraudsters from gaining unauthorized access to data and systems.
The solution incorporates Mobile Network Operator (MNO)/carrier data to promptly detect suspicious phone number behavior during critical events like financial transactions, password changes, phone number updates, and more. This comprehensive approach enables the identification of account takeover risks, device theft, unauthorized SIM swaps, and ports, among other potential threats.
Scammers exploit stolen information to trick mobile carriers into executing SIM swaps. After a SIM swap (also known as SIM jacking), fraudsters proceed to request and intercept One-Time Passcodes (OTPs) from the victim's bank accounts, cryptocurrency holdings, and social media profiles. Subsequently, they gain unauthorized access to these online accounts, swiftly emptying funds and often engaging in additional identity theft activities, such as obtaining new credit cards or loans. While individuals can take some preventive measures against SIM swaps, there is an important responsibility lies with financial institutions, banks, and companies to enhance their authentication systems.
RELATED: What is a SIM Swap Scam?
Keep reading
The stakes for businesses in ensuring trust and security in digital interactions are higher than ever.
This blog post outlines best practices for integrating identity verification APIs to enhance security, compliance, and user experience in digital interactions.
Identity verification is crucial for developers to prioritize in their applications to ensure a secure and trustworthy online environment for all parties involved.