An Evolving Threat: SIM Swaps to Perpetrate Account Takeover
By Hal Granoff
According to Aite Group, account takeover (ATO) is the most common type of fraud occurring in digital channels. The analyst firm reports that 68% of surveyed financial institutions (FIs) report this as the number one threat they are currently facing.1 Traditionally, ATO occurs when the victim’s credentials have become compromised and a thief gains access to an account for financial benefit. But lately, there have been reports of a new twist on this type of fraud. CNBC2 and Krebs on Security,3 reported on the story of bitcoin trader, Michael Terpin, who alleges he lost roughly $24 million in cryptocurrency when crooks fraudulently swapped the SIM card on his mobile phone account at AT&T in early 2018. Terpin is now suing AT&T for damages of more than $224 million.
But the story behind this isn’t about a trader losing millions from traditional account takeover. The real story here is that the scheme was as simple as a thief walking into a mobile phone store, and convincing the employee to switch the SIM card of the victim to the fraudster’s phone. By doing this, the criminal gained full control of the victim’s mobile account through their own device. From there they were able go through the password reset process and intercept the passcodes being sent to the customers’ phone to access and takeover the accounts.
Identifiers versus Authenticators
It is no secret that there are identifiers that have evolved into authenticators, despite their intended design (i.e. the Social Security number). Today’s phone numbers however, go far beyond their originally intended purpose of providing a convenient and portable means to make a phone call. Mobile Network Operators (MNOs) never intended for the mobile phone number to be used as a stand-alone authenticator; only a unique identifier. And because of their mainstream availability, they have also evolved the way companies think about how they authenticate their customers in the digital channel.
This notion of a mobile device, and more specifically, the phone number associated with it as a means to authenticate a customer has proven to be a challenge, especially when you consider how valuable that 10 digit number has become.
This point was reinforced in a separate article in Wired.4 The author stated, “The cumulative danger of all of these data points becoming exposed—not just by T-Mobile but across countless breaches—is that it makes it easier for attackers to impersonate you and take control of your accounts. And while the passwords are bad news, perhaps no piece of standard personal information has more value than your phone number.”
So how can you protect this number for your customers? And how can you prevent this from happening if the ATO is taking place at the carrier level? Well, just like you can’t expect your neighbor’s dog to prevent your home from being burglarized, you have to go out and get your own dog – or solutions to help fortify your authenticators in this case.
A better way to authenticate
So how can financial institutions (FIs) combat SIM card swaps if they have no control over fraud attempts made directly with the carrier? Corporations and FIs can now bolster existing one time passcode (OTP) solutions with additional intelligence to deterministically validate mobile account changes and determine if an OTP lands on the intended device.
The data provides financial institutions with the ability to cross-check customer information at the carrier level for signs of possible account takeover attempts such as a recent SIM swap, the porting of a phone number, or ownership changes on the account. FIs can leverage this technology to shore up high-risk transactions such as a login attempt or password reset for added assurance.
But what about the OTP for a mobile device now under control of a fraudster following a SIM swap? MNO data can also be leveraged to tell you, before you send the OTP, whether or not there are red flags associated with the phone number or device in question. It can also tell you if the OTP landed on the intended device helping prevent customer ATO attempts. Most importantly, MNO intelligence is a passive authenticator that happens behind the scenes, unknown to your customers. This provides a friction free experience for your good customers, while making it difficult for fraudsters to commit these types of attacks.
Understanding the vulnerabilities of mobile devices and their phone numbers has to be the first step for financial institutions, and frankly any company operating in the digital space, to adequately defend against these fraud threats. In doing so, FIs can have higher confidence in better understanding who they are interacting with on the other side of the device. More importantly, your customers just may sleep a bit easier knowing their FI is doing all they can to help prevent fraud.
Interested in learning more?
Understand how you can secure a variety of other types of high-risk transactions from threats in the digital channel by watching our webinar titled “Protecting Accounts, High-Risk Transactions and Mobile Apps.”
|Watch the Webinar|
About the Author:
Hal Granoff is Sr. Director of Early Warning’s Authentication Solutions. In this role, he is responsible for expanding Early Warning’s Authentication Solutions, which are aimed at protecting financial institutions from the threat of fraud in their mobile and online platforms.
- “Digital Channel Fraud Mitigation: Evolving to Mobile-First.” Aite Group, 2017.
- "Cryptocurrency investor robbed via his cellphone account sues AT&T for $224 million over loss," CNBC, Published by Kate Rooney on August 15, 2018.
- "Hanging Up on Mobile in the Name of Security," Krebs on Security, published on August 16, 2018.
- "Phone Numbers Were Never Meant as ID. Now We’re All At Risk." Wired, Published by Lily Hay Newman on August 25, 2018.