SIM Swap Scam Neutralized

Ty Chaston
May 13, 2019

Get the latest from the SecureAuth Blog

We live on a plant where more than half of the population now have cell phones.  That’s right, according to Statista, there are 4.68B mobile phone users in 2019 out of the 7B+ people populating plant Earth. As a society, we have come to rely on this personal productivity device for everything from simple communication, entertainment, education and business productivity to even personal identification. But what happens, if your mobile phone falls into the wrong hands? This is exactly what happens with the latest in cybercrime, specifically the SIM Swap Scam.

SIM Swap Scam Demystified

Phone numbers for 2FA authentication are as bad as passwords because most of services have much rely on user phone as the de facto user identifier. SIM swapping is fundamentally a type of targeted Account Takeover (ATO) fraud that exposes a specific weakness in the current binary authentication such as 2FA/MFA solutions offered by many solution providers. While One Time Passwords (OTP) 2FA/MFA is believed to increase personal security, in this case, actually is responsible for breaking it. If you aren’t familiar with how the SIM swap Scam works, cybercriminals just need to execute effectively 3 steps and they can take over your accounts:

  • Obtain a base level of personal information about the target through phishing or purchase previously stolen information from the Dark Web or disturbingly in some cases, legally obtain it through one of the major data exchange bureaus
  • Use that information online or over the phone or even along with a fake ID at a. retail store in order to impersonate the victim to a mobile phone operator and claim their phone was lost or stolen and have them port the victim’s number to a new SIM. NOTE: Once this is accomplished, the victim’s valid phone will be rendered invalid and all SMS and voice messages intended for the victim will now go to the cybercriminal’s version of the victim’s phone.
  • The cybercriminal can then create a path between the applicable email associated with an account of interest and leverage the two-factor authentication using the newly issued SIM to wreak havoc on the victim’s finances.

While two-factor authentication is intended to give you a level of assurance that your accounts are only being accessed by yourself, note that they are insufficient. In this case the SMS messages are being used to validate a fraudulent use of your accounts but are defeated simply because the threat actor now virtually holds your phone and identity, hence most likely your emails and then all associated credentials for various services tied to your emails are also comprisable.

SIM Swappers Face Justice But Until Then, You Need To Find A Safeguard For Your IAM/CIAM Solution

SIM Swapping crime pays until it doesn’t.  There are countless cases that haven’t been discovered and it is easier than you may believe to win, as  KrebsOnSecurity wrote a blog titled “Busting SIM Swappers and SIM Swap Myths” and the good news is that there are specific task forces targeting this threat vector and they are prosecuting see “More Alleged SIM Swappers Face Justice”.

But you cannot wait, you need something more than two-factor authentication to protect your organizations employees and clients from a SIM Swap Scam.

Acceptto’s Biobehavioral™ Authentication Neutralizes SIM Swap Scams 

In order to prevent a SIM Swap Scam, you will need a solution that employs more than traditional 2FA/MFA to protect your identity. Note that only a solution that understands the user behavior is what can uniquely identify you as you and prevent someone else from impersonating you. Acceptto uses behavioral modeling vs the traditional binary authentication to deliver the smartest risk based authentication and life cycle management available.

The obsolescence of passwords is upon us and changing out passwords for an alternative approach for authentication with a compelling solution is way past due. Acceptto eliminates the risk of passwords, biometrics and other forms of binary 2FA/MFA authentication by delivering a behavioral based continuous authentication technique using a combination of your physical behaviors, attributes and Digital DNA. We call it Cognitive Continuous Authentication™.

See for yourself how Acceptto can deliver peace of mind to your employees, partners and customers through our behavioral modeling and ensure that your organization’s security, privacy, and compliance goals are excided; Register for a free trial today.



Related Stories

Pin It on Pinterest

Share This