SIM swap fraud leaves two-factor authentication users at risk

Financial and online services need to abandon the two-factor authentication process for sending tokens via SMSs as bad players are not only using it to steal credentials and capture one-time passwords (OTPs) but also cause financial damage to victims, an industry expert said.

Fabio Assolini, Senior Security Researcher at Kaspersky Lab, told TechRadar Middle East, that phone numbers and SMSs were not designed to be used as two-factor authentication systems, as they are insecure.

But, he said that financial and online services decided to use it in the past because of the high adoption rate of smartphones and sending a code via SMS is cheaper than providing an OTP device (such as an RSA token) to the user.

Frauds using SIM swap are becoming common in Africa and the Middle East, affecting countries like South Africa and Turkey. Countries like Mozambique have experienced this firsthand but there are a lot of cases in Brazil, the US, Europe, etc.

Two cases were made public in the region, the largest one happened in December 2018 where a man had his phone number deactivated and the fraudster stole $1 million from his bank account.

What is a SIM swap fraud?

SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud focuses on exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM. This feature is normally used when a customer has lost or had their phone stolen.

Fraudsters can thus deactivate your number and activate it on another SIM card. Doing this allows a fraudster to receive your calls and SMSs with tokens (OTP) and passwords.

Five ways fraudsters can gain access to your SIM

  1.  With the help of insiders, working in telcos
  2. Using telco employees credentials, obtained via phishing attacks
  3. Using malware
  4. Direct and remote access to telco's systems
  5. Using social engineering by tricking a telco’s employee and asking them to activate a number on another SIM card.

Assolini said the most secure way is to generate the token (OTP) using the provider’s app, not sending it via SMS that can be intercepted in case of a SIM swap fraud.

“Telecommunications companies must strengthen their authentication processes, avoiding attacks like these. Actually, we described an interesting initiative of telcos and banks from Mozambique, where they implemented a national system that stopped completely all SIM swap frauds,” he said.

Moreover, he said that a fraudster can use it to steal access to your e-mail account, social media or other online services that rely on password recovery features through SMS or phone calls. 

Kaspersky Lab research shows that mobile payments and the banking system are suffering a wave of attack and people are losing money as a result. On average, fraudsters steal $2,500 to $3,000 per victim, while the cost to perform the SIM swap starts between $10 and $40.

“We suggest users to activate the two-factor password in their instant messengers. It’s a short six-digit code you can configure in your account. Without this code, it’s impossible for fraudsters to load your account into another phone, even if they did a SIM swap of your number. Always choose good online services that use two-factor authentication generated in-app, not sent via SMS,” he said.