SIM swapping attacks have been reported in the media since 2017. Such attacks usually target banking transactions but not only. These attacks are also perpetrated against the cryptocurrency community, social media and email accounts.
With the ENISA Report – Countering SIM-Swapping, the EU Agency for Cybersecurity gives an overview of how SIM swapping attacks work and of the extent to which Member States are affected. The Sim-Swapping Attacks also assesses services impacted and issues a range of recommendations to guide national authorities, operators, banks and citizens.
What is SIM swapping?
In a SIM swapping attack, an attacker takes over the mobile phone number of the real subscriber, by asking the mobile telecom provider to link that number to a SIM card under the attacker’s control.
SIM swapping procedures exist for legitimate reasons, for instance, when the SIM card is lost or damaged. SIM swapping is also used to connect mobile phones with an embedded SIM (eSIM). eSIMs are increasingly common.
In a SIM swapping attack, the attacker will convince the telecom provider to do the SIM swap, using social engineering techniques, pretending to be the real customer, claiming that the original SIM card is for example damaged or lost.
When the attack is successful, the genuine subscriber’s phone will lose connection to the network and they won’t be able to make or receive phone calls.
How does a SIM swapping attack happen?
The attacker typically begins a SIM swapping attack by gathering personal details about the targeted subscriber. There are many ways personal data can be retrieved, this can be done through social engineering, phishing, malware, exploiting information from data breaches or doing research on social media.
Having all necessary information, the attacker would be able to convince the mobile network operator to transfer the subscriber’s mobile number to a new SIM card under their control, or perform the process themselves online.
As a result, the attacker takes over the account and can receive all the SMS and voice calls intended for the legitimate subscriber. Fraudsters can perform online banking frauds but can also bypass the 2FA used to secure social media and other online accounts.
Why do these attack take place?
Specific circumstances may open the opportunity for attackers, which can be:
- Weak customer authentication processes
- Negligence or lack of cyber training or hygiene
- Lack of risk awareness.
A total of 48 mobile network operators from 22 countries across Europe and representatives of 14 national competent authorities responded to the survey.
48% of the MNOs surveyed did not face any SIM swapping incidents in the 12 months prior to the survey.
For the rest of the MNOs, 12 of them faced up to 10 incidents, while 6 of them faced more than 50 incidents in 4 different countries.
Mobile Network Operators (MNOs), banks and authorities have already been collaborating to mitigate fraudulent SIM swapping. Banks can use an API provided by the MNOs to check whether a SIM swap has been recently performed. Banking institutions should consistently apply the EU regulations such as the Directive (EU) 2015/2366 (PSD2), and take advantage of the available technical solutions provided by the telecommunications operators.
MNOs should reinforce fraudulent SIM swapping detection and blocking mechanisms, by enhancing the internal processes to provide the customer with a preferably seamless experience. Also, they should provide regular cybersecurity awareness training for both their own and third-party employees to ensure they can recognise and appropriately deal with the SIM-swapping threat.
National authorities should encourage and enhance coordination between the MNOs and the banking sector. Cooperation with national Computer Security Incident Response Teams and law enforcement agencies should also be promoted.
Subscribers are strongly recommended to contact their provider and/or their bank and/or change the passwords to their online accounts in case they:
- Become aware of helpdesk scams, where an attacker calls and claims to be working for a telecom company or for a tech company.
- See their phone loses network connection for a longer period of time, and they are not able to make or receive phone calls.
- See suspicious transactions in their banking accounts, or lose access to their social media or email accounts or see activity they do not recognise.