If your mobile phone stops having coverage, be afraid: a new telephone fraud known as ‘SIM swapping’ is being used so that a cyber attacker duplicates our telephone number and uses that system to usurp our identity, authenticate in our bank and rob us all the money .
There are already victims of a fraud that has been used for other purposes: Jack Dorsey, co-founder of Twitter, had his account stolen from the service with the same system, which once again reveals the weakness of mechanisms such as the SMS messages for two-step authentication systems . They were a good option originally, but as we said in the past, it is much more advisable to use independent authentication applications, and not the SMS that are increasingly vulnerable in this area.
Be careful, this horror story could happen to you
In El País they recently told a case in which a user was suddenly without coverage. He turned off the mobile, turned it on again and nothing. When he returned home, he called his operator from another mobile, and it turned out that someone had impersonated him to request a duplicate of his SIM card at an operator’s store in another city.
Yesterday I suddenly lost my mobile line.
I called @vodafone_es and they didn’t solve anything: “There is an incident on the network”, “Your line works perfectly”, I insisted on the problem and nothing.
When I left the cinema, I was still without a line. When I got home, my checking account had been emptied.
That alerted the user, who quickly went to check his bank account and found that it was blocked. His entity had detected strange movements, thousands of euros had disappeared and he had a loan requested in his name worth 50,000 euros. A true disaster that according to Civil Guard officials perfectly responds to this upward trend in SIM swapping cases.
Yesterday a new and worrying case of this type of case emerged again: a Twitter user, Otto Más ( @Otto_Mas ) recounted very similar events. He stopped having a line on his mobile with a Vodafone contract and when he returned home he connected the mobile to the WiFi and realized that ” my checking account had been emptied ” at Banco Santander.
Someone had duplicated his mobile line and with the confirmation SMS he had made several transfers “taking the money little by little”. He was able to cancel the transfers and block the account after several hours on the phone with them, although he complained about the poor response of his operator, of which he criticized the few security measures that were required for those who requested a duplicate SIM card.
There are two clear problems here: first, ordering a duplicate SIM is relatively straightforward . Second, that the use of SMS as a system for proposing two-step or two-factor authentication (2FA) has long been vulnerable to various attacks, and this is only the last – but probably the most worrying – of them all. .
SIM swapping allows to impersonate anyone, including the CEO of Twitter
This technique allows us to circumvent the security measures that place the mobile phone as an instrument for verifying our identity, and that is dangerous as we have seen in the economic sphere, but also in many other scenarios.
It was demonstrated these days when Twitter co-founder and CEO Jack Dorsey suffered a similar attack that caused offensive and racist messages to appear on his Twitter account ( @jack ) that were later deleted.
The problem was due to this identity theft that caused a telephone operator in the United States – it is not specified which one – allowed the attacker to obtain a duplicate of Dorsey’s SIM, which in turn allowed this attacker to use the function of posting on Twitter via SMS messages which was one of the original features of the service.
The offensive messages sparked an immediate reaction from Dorsey, who announced that Twitter was disabling the sending of messages to the platform via SMS.
The solution is in our hands (but also in that of the operators and banks)
As we said before, the problem with this cyber attack is that it has two very separate faces, both with their own interdependent solution: if both are not solved, the problem will remain present .
The first is in those who handle that information, the operators, who should be much more demanding when it comes to providing duplicates of a SIM card. The identity checks here must be thorough to avoid the problems that have occurred with these cases.
Banks, financial institutions and any other platform that continues to use SMS as a two-step authentication system also have pending duties. It is a popular and comfortable method, but as you have seen it has been very vulnerable for some time, as pointed out by security expert Bruce Schneier. It is for this reason that all these companies should eradicate SMS from their two-step authentication systems and use other alternatives.
Among the most recommended right now are the authentication applications that replace SMS and that can be installed on our mobiles. Microsoft Authenticator, Google Authenticator or Authy are among the best known, and if we can use them -the platform we work with must support that option- they are much more secure than authentication via SMS.
Even more interesting are the U2F keys (Universal 2nd Factor keys), an open authentication standard that makes use of physical keys and whose latest implementation is the FIDO2 standard . Manufacturers like Yubico are well known for these solutions, but even Google recently wanted to enter this segment with its Titan Security Keys , although it recently announced that an Android phone could also become a security key.