Large-scale SIM swap fraud

[harlan4096]

The enemy in your pocket

Introduction

SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud centers around exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM. This feature is normally used when a customer has lost or had their phone stolen. Attacks like these are now widespread, with cybercriminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS but also to cause financial damage to victims.

If someone steals your phone number, you’ll face a lot of problems, especially because most of our modern two-factor authentication systems are based on SMSs that can be intercepted using this technique. Criminals can hijack your accounts one by one by having a password reset sent to your phone. They can trick automated systems – like your bank – into thinking they’re you when they call customer service. And worse, they can use your hijacked number to break into your work email and documents. And these attacks are possible because our financial life revolves around mobile apps that we use to send money, pay bills, etc.

Mobile payments are now huge in developing countries, especially in Africa and Latin America. Mobile phone-based money transfers allow users to access financing and micro-financing services, and to easily deposit, withdraw and pay for goods and services with a mobile device. In some cases, almost half the value of some African countries’ GDP goes through mobile phones. But nowadays these mobile payments are suffering a wave of attacks and people are losing their money – all powered by SIM swap fraud conducted on a major scale.

Like many other countries, Brazil and Mozambique had a high rate of SIM swap fraud. Both countries speak the same language (Portuguese) and were facing the same problem. By using social engineering, bribery, or even a simple phishing attack, fraudsters take control of customers’ phone numbers in order to receive mobile money transactions, or to collect the home banking OTPs to complete a transfer of funds or steal users’ money. In Mozambique this sort of crime was all over the national news, with the media questioning the integrity of the banks and mobile operators, suggesting they may be colluding in the scams. The reputation of the banks and operators was at stake; something urgent needed to do be done to protect their customers.

In Brazil the problem was affecting not only average citizens but also politicians, ministers, governors and high-profile businessmen. Online banking customers were also experiencing losses from their accounts. One organized gang alone in Brazil was able to SIM swap 5,000 victims. At Mozambique’s largest bank they had a monthly average of 17.2 cases of SIM swap fraud; the true impact nationwide is difficult to estimate as most banks don’t publicly share statistics. As was the case in Brazil, some of the victims were high-profile businessmen who had up to US$50,000 stolen from their bank accounts.

In Mozambique a nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. This new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was an immediate reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and is considering making it mandatory for all banks.

In this article we’ll detail how very organized cybercrime developed their own ecosystem of fraud and how Mozambique was able to solve the problem of money being stolen in SIM swap fraud schemes, where mobile payments are an essential part of everyday life. 

Continue Reading