SecureAuth Named a Leader in KuppingerCole Leadership Compass Report for Customer Identity and Access Management

SIM Swap Strikes Again

Dr. Abdulrahman Kaitoua
September 16, 2019

Get the latest from the SecureAuth Blog

You would think that once a new hacking technique is exposed to the world that cybercriminals would no longer have an edge in using that method to gain access to someone else’s digital identity and data. Unfortunately, not everyone keeps up with cyber security news and they too become prey to preventable harm. Such is the case with the latest technique called SIM Swapping.

SIM Swap Scam Revisited

If you don’t keep up with the latest methods used by cybercriminals to hijack digital credentials, then you may be surprised that it involves directly accessing your mobile phone’s SIM card.  Called “SIM Swapping”, this approach is fundamentally a type of account takeover fraud that exposes a specific weakness in the two-factor authentication which is believed to increase personal security but, in this case, actually is responsible for breaking it. If you aren’t familiar with how the SIM swap Scam works, cybercriminals just need to execute effectively 3 steps and they can take over your accounts:

  1. Obtain a base level of personal information about the target through phishing or purchase previously stolen information from the Dark Web.
  2. Use that information along with a fake ID in order to impersonate the victim to go into a mobile phone operator retail store and claim their phone was lost or stolen and have them port the victim’s number to a new SIM. NOTE: Once this is accomplished, the victim’s valid phone will be rendered invalid and all SMS and voice messages intended for the victim will now go to the cybercriminal’s version of the victim’s phone.
  3. The cybercriminal can then create a new email account and leverage the two-factor authentication to validate password changes to any/all financial accounts and wreak havoc on the victim’s finances.

As you can see, while two-factor authentication is intended to give you a level of assurance that your accounts are only being accessed by yourself, in this case the SMS messages are being used to validate fraudulent use of your accounts because a cybercriminal now holds your phone and all associated  credentials.

Twitter CEO Latest Victim

This is not just an academic discussion.  It turns out that cybercriminals successfully deploy this method of hacking to take over high profile accounts for their own gain. CNBC published an article titled “Here’s how the recent Twitter attacks probably happened and why they’re becoming more common” that reported:

“When Jack Dorsey started sending out a string of bizarre tweets last week, it was clear that his account had been compromised. Less obvious to his more than 4 million followers was how the attackers took control of the Twitter CEO’s account for almost 20 minutes.

Twitter said hackers had gained access to Dorsey’s profile by effectively stealing his mobile phone number, which was compromised due to a “security oversight” by the carrier. While the company didn’t use the phrase “SIM swapping” in its statement, security experts attributed the attack to the increasingly popular tactic. Days later, the same thing happened to actress Chloe Moretz, who has over 3 million followers.”

This of course begs the question: what can I do to prevent this from happening to me or anyone throughout my organization?

Continuous Behavioral Authentication Neutralizes SIM Swap Fraud

In order to prevent a SIM Swap Scam, you will need a solution that requires more than just two-factor SMS identification to protect your identity. You will need a solution that understands that your behavior is the only thing that can uniquely identify you as you and prevent someone else from impersonating you. Acceptto goes beyond simple SMS authentication and requires you to access your web-based account in order to change your SIM.

Acceptto also understands that you are extremely busy and don’t have time to waste on remembering passwords, retrieving and typing in PINs or scanning various body parts in order to differentiate your identity from someone else. Your immutable identity is a combination of your physical behaviors, attributes and Digital DNA. We believe passwords are no longer relevant and that what you need is a way to immutably authenticate someone in order to be truly secure and compliant.

We call it Continuous Cognitive Authentication. You can eliminate preventable harm with our Biobehavioral AIML technology that enables frictionless authentication, prevents credentials stuffing instantaneously, ensures your true immutable identity continuously, and dramatically reduces risk, likelihood of fraud and cost of helpdesk operations without the guesswork or latency.

Acceptto is a transformative multi-factor authentication technology that delivers continuous identity protection and peace of mind in an age where passwords are ineffective and identity authentication is mission critical.

See for yourself what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy, especially for your PCI compliance requirements. Register for a free trial today.


Related Stories

Pin It on Pinterest

Share This