You take cybersecurity seriously. You use strong, unique passwords that can’t be guessed. Your sensitive accounts are backed up with two-factor authentication (2FA). Your devices are with you at all times.
And yet one day, with no warning, you wake up to discover that your mobile phone isn’t working. Soon, you discover your email password has been changed – you’re locked out. And to your horror, your banking or cryptocurrency wallets have been emptied… with no way to trace who’s responsible.
Like thousands of others, you’ve just fallen victim to SIM swap fraud, a rapidly rising form of account takeover (ATO) attack which can get past traditional 2FA. SIM swap fraud is on the rise, and anyone can be a target, but the best way to be prepared is to understand how it works.
In this piece we’ll go behind the scenes, looking at how people get into SIM swap fraud, how they operate, and how they get away with it – before explaining a new solution that can help businesses to protect themselves and their customers.
When you think of the typical cybercriminal, you might picture a lone hacker in a hoodie. In truth, the people who commit account takeover fraud mostly do so in virtual communities such as private chat apps. Here they socialise, learn and share techniques, and sometimes coordinate efforts for an attack.
Some are novices with an interest in programming who may not even realise the full illegality of what they’re doing – encouraged by a perception that this is an essentially ‘victimless’ activity, they may think they’re merely taking advantage of a loophole. Others are experienced criminals who are fully aware but confident that they can’t be traced.
Former black-hat hacker Alexander Hall already had a criminal career counterfeiting and selling drugs, but saw online fraud as a safer option after a conviction. As a fraudster, he was in charge and saw all of his own profit. Hall ‘made a commitment to not being flashy with money and focusing on low-risk, repeatable applications’, until he turned over a new leaf and now works in fraud prevention.
Others use it to fund flashier lifestyles: at 21, SIM swap fraudster Nick Truglia reportedly showed off stacks of loose cash, wore a $100,000 Rolex, boasted openly on Twitter about his criminal activity, and considered buying a private jet – before he was caught.
One of the most notorious SIM swap fraudsters was just 15 years old when he carried out a $24 million cryptocurrency heist, earning Ellis Plinsky the nickname ‘Baby Al Capone’.
According to an insider, Plinsky was an ordinary teen with an interest in gaming, who learned about hacking from online chats where users bragged about stealing desirable usernames.
But once a hacking initiate has learned how to get inside a victim’s phone for their username, the insider suggests, ‘taking their Bitcoin seems obvious. Plus, stealing crypto is impersonal. For kids who spend their whole lives staring at screens and playing games, it feels natural.’
Not only is remote fraud harder to trace back to the perpetrator, but never having to interact with the victim makes it easier for the attacker to remain detached; viewing the fraud as a money-making hack rather than serious theft.
While still a high schooler working from his bedroom, Plinsky was already making millions; his parents and friends reportedly believed he had gotten lucky investing in cryptocurrency.
Unlike other cyberattacks which indiscriminately target masses of people, SIM swaps are carefully orchestrated and planned in advance. Victims with known savings or investments, especially in cryptocurrency, are commonly targeted, but so are a wide variety of others.
A fraudster’s day is mostly spent in front of the computer, says former fraudster Hall. It begins with ‘profile building’ – collecting exhaustive information about the target from their social media. This includes personally identifying information (PII) that may not be publicly available, such as the target’s phone number and email address.
These details are typically obtained from other criminals’ past successes in databases bought on the dark web, or from social engineering and phishing scams – convincing fake emails and sites that trick users into sharing information. Since the advent of social media many people willingly put many private details, including PII, out into the public domain, without realising the consequences.
Common tactics include sending a message claiming the victim has missed a package delivery and needs to reschedule, raising an issue with their tax form or TV license, or notifying them that they’ve been charged for an order they never placed. These are all designed to trick the user into revealing further personal information without thinking twice, so giving the attacker access to information that will allow them to impersonate the victim convincingly.
To carry out the SIM swap, the fraudster now has to convince an employee from the victim’s mobile network operator (MNO) to transfer their phone number to a new SIM card. In some cases, the fraudster simply bribes an MNO employee by promising them a share of the profits.
Otherwise, the fraudster will pretend to be the victim, and claim their phone has been lost or stolen and they need a replacement urgently. Sometimes this means asking for a new SIM card to be shipped to their address, claiming they’ve moved – but many networks won’t authorise this, and fraudsters want to complete their scam as fast as possible, before the victim has a chance to notice anything amiss.
So more commonly, the fraudster will either go into a store, or contact the MNO remotely with a pre-bought SIM. They then use that information they’ve collected to bypass security challenges – many people use memorable dates such as their children’s birth as a PIN code, for example. Even when this information is incomplete, some store employees can be lax on security procedures – or give hints to help the seemingly frantic fraudster along.
With the swap completed, the damage is instant – the target’s phone loses signal, and their phone number will now connect incoming SMS messages and phone calls to the fraudster’s new SIM card. So how does this let them steal the target’s money and identity?
The flaw is in the very protocol designed to keep user identity secure. If you forget your password, or think you’ve been compromised and need to change it, you prove your identity by sending a code somewhere else: usually your mobile phone.
To get this far, the fraudster is already equipped with enough socially engineered information to know the target’s email address, usernames, and likely security answers. They can now work quickly to trigger password reset codes for the victim’s email, retrieve them on the SIM-swapped phone, and change the victim’s credentials before they notice anything amiss.
If the victim’s accounts are protected with SMS or phone call-based 2FA, there’s no problem – the fraudster will receive these too. Just gaining access to the victim’s email address unlocks all sorts of other online accounts – including, crucially, cryptocurrency wallets and other financial apps.
Since crypto is fully digital and not regulated in the same way as banks, it makes the ideal target for fraudsters as the transaction is very difficult to reverse. And by digging through the victim’s emails for more personal details, the fraudster can continue to build a convincing profile and cause more damage.
Although anti-fraud efforts are constantly evolving, so too are the criminals’ methods to keep ahead of the game. The best way to avoid being targeted is to be diligent about your personal security and what you share online – read our top tips here.
But if you’re a business looking to protect your brand and your customers, the good news is that there’s now a simple way to detect SIM swap activity and stop fraudsters from getting into your platform.
If you already use SMS OTP for authentication, you can use Active SIMCheck from tru.ID to verify that the SIM card has not changed before you send the user a code. And if you haven’t added 2FA yet, you can use the strongest proof-of-possession check, which also catches SIM swap through a single API: Strong SubscriberCheck. With both products, your app or site passes the verified mobile number to tru.ID via our API, and our API provides you with an immediate, actionable response.
If the registered user is still in possession of the same SIM card, the check will come back positive, and you can send the SMS OTP as normal. But if there has been a change of SIM card, the check will fail, and you can follow your step-up security flow. Learn more about how tru.ID combats account takeover here.
Solving SIM swap is fast and easy with tru.ID. Our products are easily integrated into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs.
For a more detailed explanation of how SIM-based authentication guards against fraud, download our free PDF: SIM swap fraud is getting worse – but now there is a solution.