Dec 23 2020

How to Detect and Prevent a SIM Swap Attack

These attacks pose significant security risks for businesses. Here’s how companies can protect their users.

As remote work evolves from operational outlier to de facto staff standard, enterprises face a critical challenge: ensuring employees can access resources and collaboration capabilities without compromising security.

While firms have already made significant strides toward minimizing broad risks with identity and access management (IAM) tools and multifactor authentication (MFA) solutions, there’s a new threat on the horizon: SIM swapping.

Organizations need to know the basics of SIM swap fraud as well as how to detect and prevent this type of attack in order to better manage MFA security at scale.

What Is SIM Swap Fraud?

According to a recent FBI intelligence bulletin, SIM swapping is now a popular tactic used by attackers looking to circumvent multifactor authentication frameworks. But how does it work?

It all starts with the subscriber identity module (SIM) cards used by cellular devices to store user data and connect to Global System for Mobile Communications (GSM) networks. SIM dimensions are largely standardized, meaning that users moving to another device but wanting to keep their existing data can simply remove their current SIM and reinstall it in a new device.

SIM swap fraud — also called SIM splitting or simjacking — occurs when attackers impersonate users and attempt to convince cellular providers that they’ve lost or damaged the original SIM card and need all user data moved to a new SIM card in their possession. If successful, this effectively transfers ownership of the mobile number to attackers, leaving legitimate users cut off from their mobile networks — and enterprises exposed to potential cyberthreats.

Armed with user information stored in SIM cards, malicious actors are often capable of recovering passwords used for everything from e-commerce sites to corporate email accounts. What’s more, they can intercept one-time SMS messages used for MFA and “prove” to enterprise networks that they’re legitimate users — all without alerting users or IT teams.

How Do Attackers Carry Out SIM Fraud?

SIM fraud starts with social engineering. Attackers perform reconnaissance on social media sites and corporate webpages to obtain as much information as possible about their targets. They may also use phishing emails to elicit key personal or business details or purchase specific information about users on the dark web.

Equipped with this data, they contact cellular providers, masquerade as legitimate users and attempt to have SIM card data transferred. If successful, all cellular data is routed away from user phones and directly to hacker devices.

MORE FROM BIZTECH: Dive into the era of flux and transformation for security strategy.

How to Detect SIM Swap Fraud

While every SIM swap case is different, common indicators of SIM fraud include:

  • Inability to make calls or send texts: If users are suddenly unable to make or receive calls or text messages, they may be the victims of simjacking.
  • Notifications of odd activity: In some cases, mobile phone providers will send email alerts or phone calls to backup numbers notifying users of suspicious behaviors.
  • Sudden denial of account access: If staffers suddenly find themselves locked out of business accounts — even as IT teams record recent logins — SIM fraud may be the cause.

How to Prevent SIM Swap Fraud

According to the Federal Trade Commission, there are several steps that users can take — and that enterprises can encourage, especially if staff are using corporate-sponsored devices.

  • Keep personal information personal: Users should never respond to emails, texts or phone calls that include a request for personal information — even if it appears to be from corporate management members. Instead, it’s safer to follow up by using verified email addresses or phone numbers to confirm the legitimacy of any request.
  • Reduce social sharing: Attackers build a target profile for SIM swapping in part through social posts and publicly available information. The less personal data shared, the better.
  • Create a device account PIN: Cellular carriers often allow users to create an account PIN or passphrase that must be provided before any changes can be made to the account, in turn frustrating SIM-stealer efforts.

What Is Multifactor Authentication?

Multifactor authentication offers a way to enhance account security by adding extra layers of protection between access requests and network permissions. Typically, MFA is divided into three broad categories:

  • Something users know: Passwords are the most familiar form of this authentication type: Staffers know their usernames and passwords and input them for entry-level identity verification. While passwords remain popular because they’re simple and straightforward, they’re easily compromised and not recommended for high-level administrative access or critical data permissions.
  • Something users have: Often used as part of two-factor authentication (2FA) frameworks, this approach typically takes the form of physical devices such as USB keys or one-time codes sent via SMS or authenticator apps. Adding this layer to MFA improves on password-based processes and reduces the risk of attack if hackers can compromise user passwords.
  • Something users are: The last MFA layer involves biometric identification — such as fingerprint readers, voice recognition software or facial feature scanning — to validate users. Many newer mobile devices natively include these capabilities — but they’re not foolproof, meaning they’re best used in conjunction with at least one other authentication type.

MORE FROM BIZTECH: Learn how an integrated solution could be a key weapon against cyber threats.

How to Improve MFA Security

SIM swap scams are worrisome because they provide a way for attackers to compromise SMS-based authentication efforts. If hackers have SIMs shifted to new devices, any MFA text messages will come to their devices instead of the employee’s, potentially allowing them to gain network access.

To improve MFA security, it’s a good idea to pass on SMS authentication in favor of application-based authentication tools that require additional verification to install and use. Companies can also adopt behavior-based tools that take into account data such as device location, time and access history to help identify potentially fraudulent requests.

Simply put, SIM fraud attacks are designed to let hackers trade places with legitimate users by rerouting digital device traffic. Along with reduced social sharing and additional telecoms account protection, businesses are best served by shifting away from SMS to app, biometric or behavior-based MFA solutions.

AndreyPopov/Getty Images