SIM swap schemes threaten mobile payments

One Friday in 2019, Twitter users got a shock when CEO Jack Dorsey appeared to be retweeting offensive posts such as “Nazi Germany did nothing wrong.” Dorsey hadn’t lost his mind, only control of his texts — and his @Jack handle. He had become the victim of a SIM swap hack, a cybercrime that targets mobile phone users.

"For Mr. Dorsey and his followers, the security breach caused alarm and offense," Federal Communications Commissioner Geoffrey Starks recounted last September. "For other victims, there have been even more devastating consequences, from drained bank balances to lost email accounts containing years of communication," he said as the FCC announced it would begin drafting rules to stop such frauds.

"Protecting consumers from these kinds of scams will require systemic changes," Starks said in his Sept. 30 statement.

The FCC was spurred on by a 2020 Princeton University study that suggested the crime is on the rise, Commission Chairwoman Jessica Rosenworcel said in her own September statement. "SIM cards are increasingly at the center of scams involving our mobile devices," she explained, noting how ubiquitous mobile devices have become in Americans’ lives and how recent carrier data breaches increase the likelihood of such attacks.

Rosenworcel also cited a 2020 Twitter post from Sen. Ron Wyden (D-OR) in which he called on the FCC to "step up and protect consumers by holding carriers accountable when their systems fail to protect against SIM swapping."

In a SIM swap — also known as SIMjacking — fraudsters take on another person's identity, contact a cellphone provider, and falsely claim to be activating that person's new phone. They attempt to persuade the telecom carrier to share the data stored in the Subscriber Identity Module (SIM) of the victim’s phone by moving that information to the new phone (the SIM is a thumbnail-sized card inside the phone). If successful, the criminal gains access to what may be a treasure trove of financial accounts from which to steal.

Once the fraudster ports the data held on the victim's SIM card to a new phone, it's possible to take over banking and payment apps, even if resetting the passwords requires two-factor authentication because the password change is being texted to the new phone.

Often, the first sign users have of the con is when their phones stop working; or if they are within range of Wifi, the phone in their hand may start pinging with updates about account and password changes.

"With all the data breaches, it’s not surprising the bad guys already have the users’ credentials or can easily have access to the users’ accounts," said Karin Tansey, senior director of product management for authentication and mobile products at Early Warning Services, speaking in a recent webinar. EWS is the owner and operator of the Zelle payments network.

The FCC proposed changing rules for customer proprietary network information and local number portability to force telecom companies 1) to authenticate callers are who they say they are before transferring a consumer's number to a new phone or carrier and 2) to require carriers to notify customers immediately when such SIM changes are made. A comment period on the rules ended last year and the agency has yet to act on final regulations.

FBI charts increasing SIM swap complaints

This month, the FBI issued a statement warning consumers that criminals are increasingly using SIM card swap schemes to steal money, including cryptocurrencies.

While the agency’s Internet Crime Complaint Center logged 320 complaints on such incidents, with losses of about $12 million, over the three-year period from 2018 through 2020, it received five times that many complaints last year — 1,611 — with losses of about $68 million, the Feb. 8 FBI statement said. Those figures may be conservative, given they only include those people who bothered to file a complaint.

The popularity of digital wallets, peer-to-peer payment apps and mobile banking has opened this new front in cybercrime. With 40% of banking customers now saying a bank’s digital and mobile features are the key factor in choosing one bank over another, criminals have followed.

And the rise of cryptocurrency has added an incentive for these criminals; crypto investors have been bilked of millions. In one case last year, a 21-year-old from California was indicted for allegedly leading a ring that defrauded more than 40 victims. In December, a defendant in New York acknowledged in his guilty plea being part of a ring that stole $23.8 million from a cryptocurrency investor through a SIM swap scheme.

SIM swaps are becoming more frequent, thanks to the growth in cryptocurrency use, contends Limor Kessem, global security advisor for financial services at computer giant IBM. Cybercriminals not only target large amounts, they remain anonymous by easily moving the cryptocurrency to "blenders," or untraceable wallets.

"How do you begin to describe the threat something poses when you have online help guides to help create that threat and materialize that threat?" asked Javed Shah, vice president of product management at 1Kosmos, which provides secure identity authentication. He explained that sites on the dark web offer SIM swapping services for anywhere between $40 and $200 to any would-be fraudster, making it a lucrative scam that doesn't require great hacking skills.

To be sure, some telecom companies dispute the notion that this fraud is on the rise. In a November comment on the proposed FCC regulations, AT&T wrote that, by its calculation, 99% of SIM changes and related phone number changes, are legitimate. "Far from posing a large or increasing threat, fraudulent SIM swaps and port-outs comprise an exceedingly small number of all such transactions processed," the carrier said. Nonetheless, AT&T has a vested interest in downplaying the issue as it seeks a lighter regulatory touch in the area.

How to combat SIM swapping

SIM swapping fraud hasn’t gotten the same attention as threats such as ransomware, perhaps because there is little individual users can do to prevent it.

"Because of the way these attacks happen, there's no mistakes required on the end user's part," said Allison Nixon, the chief research officer at cybersecurity firm Unit 221B. "It's actually an attack against the (financial) institution itself and the (mobile) service provider. So because of that, it's really up to the institutions and the service providers and those companies to actually solve this problem."

Nonetheless, it’s not that easy for the institutions to thwart the incursions.

"The threat of SIM swaps can be challenging for payment platforms and banks to counteract on their own," said IBM’s Kessem via email. "Reducing the chance of a SIM swap is also an effort that must involve telecommunication service providers which must grow awareness of these threats and implement more stringent internal controls."

Revenue flowing to digital identity vendors is expected to double to $53 billion in the next five years, as more companies — especially in sensitive industries such as banking and healthcare — struggle to securely identify their clientele, according to a study by Juniper Research.

The FCC’s rulemaking leans toward increased training to boost mobile companies’ employee awareness of SIM swapping attacks and other methods to deter the attacks, such as a 24-hour delay before a SIM card can be activated, noted Ian McGinley, a white-collar crime investigations partner at the law firm Akin Gump Strauss Hauer & Feld.

Multifactor authentication (MFA) is one tool that’s been deployed widely by financial institutions, but many protocols rely on texting a verification code to the user’s phone — the one that’s been hijacked by the fraudster — so new ways to authenticate users must be leveraged.

"NIST has taken notice" said Early Warning’s Tansey, referring to the National Institute of Standards and Technology. The government agency, which promotes tech guidelines and innovation, has updated its digital identity guidelines, determining that email and voice-over-IP (VoIP) calls were not viable methods for delivering security codes to validate a log-on. It also determined that text messaging "needs additional fortification to continue to be used," Tansey said.

Using a hardware token separate from a user’s phone that generates security codes is one solution, as is combining geolocation and other data to spot potential fraud. Just as some websites require a user to access the site from an IP address related to the user, authenticating programs can verify that the new phone is being used in a location where the user typically does business with the institution, and not some faraway country where a fraudster is based. If those don’t match, the institution can require additional proof of identity before granting access.

Using biometric markers such as voice-prints to back up authentication can also prevent SIM swapping. In that case, authorizing the new phone to access accounts would require a voice-print from the actual user, something harder for the criminal to fake.

"You have to think outside the box to ensure the security, because ultimately it's not just about the SIM," said Shah of 1Kosmos. Identity proofing has to evolve to allow institutions to "KYC" — know your customer — on mobile channels securely. "They could force you to install an app on your phone, which would be a little bit of a turn-off. You'd be like: 'Now I have to do this? I have 40 apps already.'"

E-commerce 'friction' complicates the situation

The downside of all of these measures is increased friction for users, an undesirable slowdown in a transaction that cuts into companies’ digital volumes, Nixon said. Most protections against SIM swapping increase both customer acquisition and retention costs, and those protections can add hurdles to the consumer experience, butting up against the ability to do e-commerce.

"So another thing for the payment industry to think about is: How can you implement these security protections and find a way to do it without impacting your bottom line?" said Nixon. "Because, once it starts impacting your bottom line, it's going to get a lot more financially and politically difficult within your company to implement this."

But SIM swapping has spread beyond a few high-net-worth individuals and crypto investors, and is threatening a wider swath of financial services, she added. By threatening the basic identity authentication, SIM swapping "is breaking the threat model," she said.

"We haven't even reached the ceiling of harm yet. We haven't even seen the potential of fraud that could happen," Nixon said. "The only limitation right now is that the SIM swappers have not fully used their imaginations in terms of how much they can steal."

Between the regulation and some recent lawsuits brought by crypto investors — one sued AT&T last September for failing to protect his mobile account from a SIM swap — organizations may have more of an incentive to tackle this problem, Akin Gump’s McGinley said. AT&T is fighting the customer’s complaint in the U.S. District Court for Southern Texas.

McGinley, who prosecuted a number of cases of SIM swapping formerly as co-chief of complex fraud and cybercrime for the U.S. Attorney’s Office in the Southern District of New York, has some advice in light of the risks: "It’s wise to be vigilant in this space."