The SIM Swap Fix That the US Isn’t Using
SIM swap attacks, where hackers trick or bribe a phone company employee into switching the SIM card associated with a victim’s phone number. The attackers then use that hijacked number to take over banking or other online accounts. According to Tenreiro, the bank had seen more than 17 SIM swap frauds every month. The problem was only getting worse.
“The gentleman from the bank, I could see by his face he was desperate. He wanted to do something but he didn’t know what to do,” says Tenreiro, who asked WIRED not to identify the phone carrier he worked for. “He was asking for our help. As mobile operators, we also had a responsibility to fight this fraud.”
Andy Greenberg is a WIRED security writer and author of the forthcoming book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers.
SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim’s banking credentials, or by using the phone number as a password reset fallback. So the phone company, Tenreiro says, offered a straightforward fix: The carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled, that window of time let them report the crime before fraudsters could take advantage.
By August of 2018, Mozambique’s largest bank was performing SIM swap checks with all the major carriers. “It reduced their SIM swap fraud to nearly zero overnight,” says Tenreiro, who serves on Mozambique’s Computer Emergency Readiness Team, and spoke about the SIM swap fraud fix at Kaspersky’s Security Analyst Summit earlier this month.
Mozambique isn’t alone in implementing that fix for the growing epidemic of SIM swap fraud, which is increasingly used for everything from hijacking Instagram accounts to stealing cryptocurrency. According to WIRED’s interviews with security firms and executives in the banking and telecom industries, companies in other countries across Africa, including Nigeria, South Africa, and Kenya—where the prevalence of mobile payments have made SIM swaps a particularly serious threat—have put similar carrier-checking remedies in place. So have the UK and Australia. But there’s one country where experts say the fix hasn’t taken hold: the US.
“This is something where Africa is ahead of us,” sa
Be the first to write a comment.
