As smart technology gets smarter, so do fraudsters.
In one of the latest strategies for defrauding innocent customers, fraudsters are eyeing mobile phones. As it turns out, SIM card swapping attacks present an enticing opportunity for account takeover.
During these attacks, fraudsters take control of a victim’s phone number, bypass SMS-based account authentication, and steal credentials and cash.
While not everybody has heard of these attacks, they’re still responsible for major losses. People in the cryptocurrency space appear to be popular targets for this kind of attack. Just last year, more than 50 victims in California were drained of more than $35 million, with one blockchain consultant losing his entire life savings.
Because so many e-commerce and financial sites today rely on phone-based authentication and require customers to link phone numbers to accounts, fraudsters are increasingly attracted to the account access opportunities SIM swapping offer. Here’s what e-commerce merchants and their customers need to know about the risk.
SIM swapping is an account takeover fraud variation that takes advantage of a mobile phone provider’s ability to port a telephone number to a device containing a different SIM card. Because cellphones use SIM card cards for storing user data and authenticating telephone numbers and cellphone subscriptions, fraudsters can access the data on stolen cards to access sensitive accounts.
Once the cards are swapped, the dirty work happens fast. The victim may see their phone lose service, get logged out of key accounts and see bank accounts quickly drained.
Even more frustrating for customers is that they think they’re taking all the right precautions to prevent this kind of fraud, like enabling two-factor authentication on apps, locking cell phones and using secure passwords.
In many cases, a fraudster begins the SIM swapping scam by gathering personal data on their often-wealthy target. They’ll use phishing emails or purchase information on the dark web to trick victims into revealing information like birth dates, Social Security numbers and passwords. Fraudsters might also scour social media and public websites to harvest personally identifiable information.
Once the fraudster has enough information on the victim, they take over the victim’s identity, contacting the victim’s cellphone provider, impersonating the victim and requesting the phone company port the victim’s number to a SIM card the fraudster controls.
SIM swapping may also occur directly in cell phone stores, with corrupt store employees stealing a customer’s SIM card and replacing it with a new one.
With the stolen card in hand, the fraudster can circumvent websites’ security features by intercepting texted passwords, resetting those passwords and gaining access to bank and investment accounts. Some fraudsters will cash out accounts by investing balances in bitcoins, while others create new bank accounts under the customer’s name to mask withdrawals. Attackers will likely reset passwords on other accounts as well, including those for social media, email and cloud storage sites.
Because it’s so hard for customers to spot SIM swapping while it’s happening — and even harder for victims to undo the damage — it’s important for customers to be able to know how to protect their accounts.
Before they click on a link in an email that requests sensitive information, customers should hover their mouse over that link to ensure they’re being directed to a trusted source. If the link isn’t legitimate, they should report suspicious emails directly to the company from whom the email allegedly came. Many companies, like PayPal, even have a dedicated email address for customers to send suspicious communications.
Enter sensitive data only on secure websites. Customers should look for website names that begin with “https,” have the lock symbol or have a certificate from a company like Verisign.
Customers should ensure they have notifications set up on their phones to alert them when account information or passwords change. Some banks can link SIM card numbers to a phone’s International Mobile Subscriber Identity, ensuring one-time codes are sent only to the device on file.
The major service providers let customers assign PINs or passwords to their accounts, reducing the risk of a hacker making unauthorized changes. It’s important to remember, though, that this approach isn’t foolproof. Store employees may have access to these numbers and can put a customer account at risk.
While using two-factor authentication can help customers protect accounts, text message verification may not be adequate during SIM swapping. Authentication apps or security keys may be more effective.
Customers should also avoid posting personal data online — and that includes participating in social media quizzes whose answers can help fraudsters compromise accounts.
When it comes to fraud prevention, customers have a responsibility to monitor their accounts and information. But merchants should also put the solutions in place that can stop fraud before it does serious damage to a merchant’s reputation and revenue.
If you’re not sure you’ve got the right fraud solution in place, contact a ClearSale analyst today. They can help you analyze the different fraud protection solutions available to you and demonstrate why ClearSale’s robust hybrid approach is the solution of choice for vendors worldwide.