Wireless carriers need to make changes to combat SIM-card fraud

U.S. carriers will need to adjust security tactics soon to combat an emerging threat in which criminals hijack SIM cards used to authenticate mobile phone customers on wireless networks, experts say.

[Social media, mobile phones top attack targets]

The fraud starts with criminals calling a carrier's customer and tricking him into divulging personal information. The data is then used to fool the company into deactivating the subscriber's SIM card and reopening the account on the fraudster's phone.

The trick is unusual because it takes advantage of a weakness in the process carriers use for switching SIM cards. Many carriers do not use a second form of authentication, such as requiring an email confirmation before making a SIM-card switch over the phone or online.

Until changes are made, SIM-card fraud will be a "continuing threat," Lawrence Pingree, analyst for Gartner, said Monday.

"It really boils down to whether or not cellular carriers change their tactics," Pingree said, noting that the scam is "more of a business processor security exploit."

U.S. carriers that have been affected by such scams include AT&T, according to Bloomberg.

AT&T did not respond to a request for comment.

To fool victims, the crooks do their homework and usually have enough personal information, such as the person's name and address, to come off as legitimate.

If the conmen are successful in getting the last four digits of a person's social security, which is often used for authentication, they then call the wireless carrier and request the SIM card switch. Such swaps are a common practice in activating new phones.

The majority of people in the U.S. do not use their mobile phones for banking or other forms of commerce, so SIM-card fraud to date has only been used to make international calls.

Because such calls are not very profitable, experts believe fraudsters are currently experimenting with techniques that have been used in Europe and Africa to crack online banking accounts.

"I very much get the feeling that these are guys who are importing a fraud technique and trying to adapt it to the U.S. to see how they can make money," Marc Rogers, principal security researcher for Lookout, said.

Outside the U.S., SIM-card fraud has been used to intercept the one-time personal identification number (PIN) banks often send via SMS to customers for logging into online accounts or making money transfers. In such cases, criminals already have the victim's user name and password, often bought in an underground marketplace. Banks use the PIN as a second form of authentication.

In general, SIM-card fraud is in its infancy and it's use is expected to evolve where a hijacked card could be used, for example, in sending texts to premium rate numbers or breaking into online accounts other than banking, Rogers said.

"The bad guys are constantly adapting," he said. "They're always trying new things."

[Seductive technology: What are its implications for data security?]

The worldwide communications industry is projected to lose $46.3 billion from fraud this year, roughly 2 percent of global revenue, according to the Communications Fraud Control Association. Taking over phone accounts is one of the top five frauds and is expected to cost carriers $3.6 billion this year.

To combat criminals, carriers have to become more flexible and be ready to adjust tactics as attackers change theirs. "Security is the art of war," Pingree said.

Join the CSO newsletter!

Error: Please check your email address.

Tags at&tsecuritymobile

More about BloombergGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place