SIM Swap Scams + Consumerization = TPRM Risk

SIM swap scams can be extremely expensive to individual consumers — one investor lost more than $23.8 million worth of cryptocurrency to a SIM card hijacking in 2018. These hacks also represent a growing third party risk as the use of cell phones and related consumer technologies continue to increase inside most companies. 

SIM card thefts also pose reputation risks, as Twitter CEO Jack Dorsey found out this summer when his own account was taken over by a hacker who retweeted offensive messages. The intrusion, Dorsey’s cellular provider later confirmed, was the result of a SIM swap scam. As cell phone manufacturers and cellular service providers continue to offer major holiday-season discounts to entice consumers to switch providers, consumers and risk managers should be especially vigilant: switching cell phone providers can expose you, your company and your client organizations to heightened SIM swap risks unless you take proper precautions.

These attacks occur when bad actors use social engineering to convince cell phone providers to activate a new SIM card with the victim’s cell phone number in a phone that the criminal owns. Equipped with this control, the thief can log into accounts (banks, credit unions, social media, business/company accounts and apps, etc.) that use text messages as authentication and for password resets. SIM card thieves can also open new cell phone accounts. Considering the longstanding consumerization of information technology (IT) within businesses, SIM swap scams also qualify as an organizational information security threat as well as a third party risk. The same holds true for third-party applications on cell phones that lack sufficient security and privacy protections. This fall, Facebook announced that it suspended tens of thousands of apps due to privacy and security concerns in an effort that relates to the company’s massive settlement with the Federal Trade Commission (FTC) over privacy violations.

Cell phone numbers have become a ubiquitous form of security and authentication. That’s not great news for information security managers and third party risk management (TPRM) professionals, according to cybersecurity guru Brian Krebs. “Phone numbers stink for security and authentication,” he writes. “They stink because most of us have so much invested in these digits that they’ve become de facto identities.”

In his post, Krebs interviews Flashpoint Director of Security Allison Nixon, who has provided insights to several articles on SIM swap attacks. She also Inadvertently stole someone’s online service account when she used a newly purchased burner phone (a standard tool inside a threat intelligence company) to try to access her own account. “I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know,” Nixon tells Krebs. “Then I clicked okay and was suddenly reading the private messages of the account. I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites.”

Another problem is that cell phone bills have in some cases been left unprotected. Last week, TechCrunch reported that one of the major cell phone service providers left hundreds of thousands of customer phone bills on an unprotected server. Wired also has been covering SIM swap attacks. The publication reported, and was confirmed by Bitcoin Hoje, that the cryptocurrency investor’s loss sparked a $220 million lawsuit against AT&T and directed readers to a list of incidents in which individuals lost thousands of dollars from checking accounts as a result of SIM swaps.

Last year, Wired’s Brian Barrett discussed three ways to reduce the likelihood of falling victim to a SIM swap attack and to minimize the damage when an attack strikes. These steps include adding a PIN or passcode to cell phone accounts (which all major U.S. carriers offer as an option); fortifying two-factor identification by using an authentication app (e.g., Google Authenticator) or a physical authentication method (e.g., a key fob or USB port); and several other extra measures. As Lifehacker’s Brendan Hesse notes in his article on avoiding and responding to SIM swap scams, “it’s  a lot easier to set up defenses against a SIM swap attack right now than it is to deal with the fallout from one—one is a minor annoyance, the other will consume your week (or more).” That advice is equally relevant to consumers, information security managers and third party risk management professionals.

The combination of high-cost and high-profile SIM swap attacks (along with coverage of those events) more recently caught the attention of the U.S. Federal Trade Commission (FTC). Several weeks ago, the FTC published a bulletin on SIM swap scams. The information included this preventative guidance:

Here’s what you can do to protect yourself from a SIM card swap attack:

  • Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
  • Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and login to your accounts.
  • Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
  • Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use multifactor authentication, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.

When individuals fall victim to an attack, the FTC recommends that they contact their cellular service provider immediately to take back control of their phone number (and then change all account passwords); and that they check your credit card, bank, and other financial accounts for unauthorized charges or changes.

Information security and third party risk management professionals should raise awareness of SIM swap attacks and consider adapting consumer guidance to help their colleagues and vendors reduce the possibility of falling prey to a SIM swap attack.