SIM Swapping Becomes an Insider Threat

SIM Swapping, the illegal process of transferring the SIM, or Subscriber Identity Module, card from its rightful owner to a threat actor, is on the rise. As the SIM Card stores identification information that pinpoints a smartphone to a specific mobile network, transferring it from telephone to telephone also transfers the telephone number.  In the past, this fraud scheme was most frequently executed via “social engineering.” A fraudster who had gathered victim information from open sources, including social media, would contact the cellular carrier, provide enough information to convince the operator they are the rightful owner of the telephone number, and then ask for the number to be transferred to a new device they just purchased.  According to reporting this week, fraudsters have discovered a time-saving shortcut: bribing phone company employees.  Recent reporting states fraudsters pay employees between $300 and $500 to execute the illegal transfer of a cell phone number.

Why are bad actors so focused on stealing your phone number? Multifactor Authentication, or MFA, adds a layer of security to online accounts by requiring not just a password to complete the authentication process, but also a code.  And this code is sent to cell phones.  With regulations such as the Federal Trade Commission's “Safeguards Rule,” which requires financial institutions to implement MFA for individuals accessing customer information networks, we are seeing the federal government requiring MFA.  This makes sense: passwords present a single point of failure, but requiring a code sent to a cell phone greatly enhances account security.

Until it doesn't.  

In my 30 + years of working fraud investigations in the FBI and the private sector, one thing I have always been able to count on is the ability of threat actors to adapt to security measures put in place to thwart them.  MFA's Achilles' Heel is the smartphone that receives the code. You may be holding your smart phone, but through SIM swapping, the threat actor has transferred your telephone number to another device and is receiving the authentication codes.  From here, the bad actor can change passwords, lock you out, and drain your accounts.  With SIM swapping trending towards an insider-facilitated crime, consumers should increase their awareness of the prevalence of these schemes, Cellular carriers would be prudent in taking steps to enhance their Insider Threat monitoring and education programs to root out corruption in their workforce.