It seems that stories of SIM Swap fraud become more common on the tech trades every day. The reason for this is not only the insidious nature of the crime but often the personalities associated with these schemes. Just last month, this article was circulating about a character who allegedly stole $70 million in SIM Swap fraud, then intimidated victims with threats of violence to keep them quiet. “Baby Al Capone” is what the article called him. Turned out Baby Al was a 15-year-old high school student from the suburbs. But what about SIM Swap makes it so easy to be bullied into submission by someone not old enough to vote? For that, we need to focus on the particularities of the crime.
As mentioned on this blog, the SIM Swap attack can be remarkably easy, so long as the malicious actor has some help. SIM Swap by definition is a type of account takeover where a fraudster transfers a victim's phone number onto a SIM card controlled by the hacker. This is typically accomplished with some sort of social engineering that can be as simple as calling a mobile provider, impersonating the victim, and asking for a phone port.In a perfect world, the carrier would catch on to this scheme. However, mistakes happen every day, so let's get into the nuts and bolts of how this scam works. For the uninitiated, a phone port is when a mobile customer calls their carrier and asks for their phone number to be assigned to a new SIM Card. This happens all the time for legitimate reasons: you got a new phone, you lost your old phone, etc. When doing this the customer service representative will ask all sorts of questions that only you should know. Enter social engineering. Social engineering occurs when a fraudster uses anything at their disposal to acquire personally identifiable information (PII) from a target. This could be done by phishing, bribery, purchasing breached info from the dark web to even stalking social media profiles, or going through your garbage. Yikes. Whatever the case, once a fraudster acquires the necessary information to port your phone number to a device they control, the SIM Swap has occurred.
While it's never good to have your phone number controlled by a stranger, this person likely has more sinister intentions than spamming your ex-partner or writing mean tweets. Once this criminal has your phone number, they trigger 2FA sequences to wrestle control of your most valuable accounts: email, banking, and crypto, among others. What's worse, they can do this in a matter of minutes. By the time the victim realizes their phone has gone offline, the damage has been done. The teen in the aforementioned tale, was really just a young gamer who would join chat rooms about crypto and identify high-value targets. Because of the nature of crypto-currency, it is inherently difficult to track, so once it's gone… it's gone. Some crypto or otherwise block-chain adjacent companies have admitted in recent months struggling with SIM Swap attacks and now more and more articles are popping up about crypto investors losing their life savings overnight. Fortunately, TeleSign can fight back against SIM Swap and help keep a platform's users safe.
While TeleSign will advise every platform in the world to turn on 2FA, as the title indicates, it's sometimes not enough. Specifically, with SIM Swap, platforms want to layer additional pieces of data intelligence on top of a user's account protection. TeleSign's digital identity platform holistically looks at a user's online identity. A person's digital footprint will include name, phone number, e-mail, IP address, etc. Beyond these basics though, TeleSign can look at a user's porting history, or the last time their phone number was transferred (ported) to another device (SIM.) If, for example, your business deals in cryptocurrency, you might find it suspicious that one of your users transfers millions of dollars in Bitcoin immediately after porting their phone number to a new device. By divulging this information to the platform, TeleSign allows the company to immediately act on this information, typically by blocking the transaction or pushing to a manual review. This small step could save your platform (and your users) money, the headaches of lawsuits, regulatory and compliance fees, and the opportunity cost of negative PR. The TeleSign digital identity solution can stop fraudsters even when your users don't practice the best digital hygiene. Because no one wants their users defrauded by someone that can't even drive. (Baby Al Capone will make a great movie though).
TeleSign has been connecting and protecting online experiences for over 15 years. We support the largest web properties in the world and we're prepared to help you. Contact TeleSign now and for all of your security needs. As the pioneers of phone-based security, we are a one-stop-shop for all of your digital identity and programmable communications needs.