If your mobile phone ceases to be covered, be afraid: a new telephone fraud known as ‘SIM swapping’ is being used for a cyber attacker to double our phone number and use that system to usurp our identity, authenticate in our bank and rob us all the money.
There are already victims of a fraud that has been used for other purposes: Jack Dorsey, co-founder of Twitter, was robbed of his account in the service with the same system, which once again highlights the weakness of mechanisms such as those of the SMS messages for two-step authentication systems. They were a good option originally, but as we said in the past, it is much more advisable to use independent authentication applications, and not the SMS that are increasingly vulnerable in this area.
In El País, they recently had a case in which a user suddenly ran out of coverage. He turned off his cell phone, turned it on again and nothing. When he returned home, he called his operator from another cell phone, and it turned out that someone had pretended to request a duplicate of his SIM card at an operator’s store in another city.
That alerted the user, who quickly went to check his bank account and detected that it was locked. His entity had detected strange movements, thousands of euros had disappeared and he had a loan requested in his name worth 50,000 euros. A real disaster that according to Civil Guard officials responds perfectly to this upward trend in cases of SIM swapping.
Yesterday there was a new and worrying case of this type of cases: a Twitter user, Otto Más ( @Otto_Mas ) recounted similar events. He stopped having a line on his mobile with a Vodafone contract and when he returned home he connected the mobile to the WiFi and realized that ” my current account had been emptied ” at Banco Santander.
Someone had doubled his mobile line and with the confirmation SMS he had made several transfers “taking out the money little by little”. He was able to cancel the transfers and block the account after several hours on the phone with them, although he complained about the bad response of his operator, which criticized the few security measures required for those who requested a duplicate SIM card.
There are two clear problems here: first, that asking for a duplicate of the SIM is relatively straightforward . Second, that the use of SMS as a system to raise two-step or two-factor authentication (2FA) has long been vulnerable to various attacks, and this is only the last – but probably the most worrying – of them all. .
The swapping SIM allows you to impersonate anyone, including the Twitter CEO
This technique allows to circumvent the security measures that place the mobile as an instrument of verification of our identity, and that is dangerous as we have seen in the economic field, but also in many other scenarios.
These days were moderated when the co-founder and CEO of Twitter, Jack Dorsey, suffered a similar attack that suddenly caused offensive and racist messages in his Twitter account ( @jack ) that were subsequently eliminated.
The problem was due to this impersonation that caused a telephone operator in the United States – which is not specified – to allow the attacker to obtain a duplicate of Dorsey’s SIM, which in turn allowed this attacker to use the function of Post on Twitter via SMS that was one of the original features of the service.
The offensive messages provoked an immediate reaction in Dorsey, which announced that Twitter disabled sending messages to the platform via SMS.
The solution is in our hands (but also in that of the operators and the banks)
As we said before, the problem with this cyberattack is that it has two very separate faces, both with their own interdependent solution: if the two are not solved, the problem will remain present .
The first is in those who handle that information, the operators, which should be much more demanding when it comes to providing duplicates of a SIM card. Identity checks here must be thorough to avoid the problems that have occurred with these cases.