WyzGuys Tech Talk

In the middle of the day your cell phone mysteriously goes dead.  Later on, when you call the cell phone carrier, you find out that someone else pretending to be you has visited a store and claimed to have lost your phone.  Customer service agents moved your mobile number to a new SIM card on a new phone, and using your phone and other personal information gathered earlier through phishing scams or social engineering, have used the phone to help empty your bank account.

The SIM is the Subscriber Identity Module, and confirms your identity to the cell phone network. SIM cloning and SIM swapping allow an attacker to use your phone and all of the applications and data that is stored on your phone.

Acquiring your phone is  the last step in a longer campaign that started with a series of phishing emails designed to trick you out of your user IDs and passwords on as many services as they could get.  This may have included collecting answers to the secret questions used to reset passwords or confirm your identity to a customer service agent.  Having the phone allows them to intercept the 2FA codes that are sent to your phone, which is the last step in logging into something like your bank account.  This usually gives the attacker access to other important accounts, including your social networks and email account.  Email account hijacking has unfortunate outcomes of its own.

SIM swap fraud has been on the rise lately.  U.S. Fair Trade Commission reports that there were 1,038 reported incidents of SIM swap identity theft in January 2013.  Three years later by January 2016, that number had increased to 2,658.  To protect yourself from this scam there are steps you can take to make hijacking your cell phone account harder.

• Be alert for phishing exploits – Do not click on links in emails.  Use extra care when receiving emails from vendors that require you to log into your account or enter personal information into a web page form.  Make sure the web address for the web page you are on makes sense for the web site.
• Use computer and smartphone anti-malware – A good anti-malware app should keep surveillance exploits such as keyloggers off of your phone and computer.
• Change the answers to your knowledge-based questions – We all have given supposedly “secret” answers to questions such as “what is the name of your high school” or “what was the color of your first car.”   These answers are used to verify our identity when resetting a password or calling a customer service agent.  Truthful answers are easy to research using the Internet.  Making up untrue or bogus answers and recording them in your password manager is one way to keep the SIM scammers from guessing or finding the answers online.
• Set up extra security on your cell phone account.
  • Verizon allows you to create a PIN that is required to verify your identity when calling customer service or visiting a store.
  • Sprint uses a PIN coupled with questions and answers.
  • T-Mobile uses a special PIN used when calling customer service.
  • AT&T requires the use of a passcode to identity you to a customer service agent

More information:

• FTC on SIM Swap Fraud
• SIM Swap Scam Explained
• SIM Swap Used to Steal Bitcoin
• Protect Yourself From Cyber Scams – Part 2
• Which Is Better – SMS or App-based TFA?
• Krebs on Security – SIM Swap Gang Leader Arrested