What is SIM Swapping and how to avoid fraud?
SIM Swapping is a fraud that consists of obtaining a duplicate or clone of a SIM card associated with a telephone line to impersonate the identity of the owner of the line and to be able to access their bank accounts by sending an SMS message (OTP code). used as double-factor authentication.
This fraud has acquired such a dimension in recent months that the AEPD has imposed fines ranging from 70,000 euros to 3.94 million euros (5.8 million euros in total), to the main operators in the country ( Vodafone, Orange, Telefónica or Xfera ) for failing to comply with data protection and not adequately protecting the confidentiality and data of their clients.
This serious wake-up call by the AEPD, together with the ease with which cybercriminals manage to carry out SIM-swapping fraud, will force telephone operators to strengthen their security, prevention, and identity verification measures. What is SIM Swapping and how to avoid fraud?
Phases in which SIM Swapping is carried out
SIM Swapping can be carried out for different purposes: from accessing bank accounts to obtaining email accounts or social network profiles of the person who suffers the fraud.
Many cybercriminals seek to access Google accounts or services and social networks such as Facebook, to blackmail the account owners by threatening their digital reputation or directly accessing crypto wallets or electronic wallets.
However, access to bank accounts is the most abundant, elaborate, and dangerous fraud, as it is the one that maximizes the economic benefit for the cybercriminal. To do this, in addition to obtaining a duplicate SIM card, the user’s online banking access codes would have to be stolen.
Therefore, we could divide this type of fraud for this specific case into two different phases:
- Theft of the subject’s bank account credentials.
- Clone or duplicate the SIM card.
1. Theft and access to online banking credentials
In order to access our bank account, the first step is to fraudulently obtain the user’s online banking credentials.
The most common types of identity fraud such as Spoofing, Pishing, or Pharming, are usually carried out through fraudulent emails and websites that impersonate the banks, to deceive users into sharing personal information such as the number of credit card, social security or credentials to access online banking.
2. SIM card clone and duplicate
The next step is to steal that person’s phone or get a duplicate SIM card to access the SMS verification codes sent to that phone number (two-factor authentication).
And this is exactly where the problems for the telemarketers come from since criminals usually show up at physical stores with false reports that their phone has been stolen, along with a false photocopy of the DNI to obtain a duplicate SIM card.
The security mechanisms to verify the identity of these people in stores are usually based on personal questions that criminals obviously already know, so they get that new SIM card relatively easily.
Therefore, there is a security gap in this face-to-face verification process, since telecommunications operators use methods that are not very robust to verify the identity of the people who request a duplicate SIM card.
Use two-factor authentication: PSD2
At the end of 2019, the PSD2 (Revised Payment Service Directive) came into force in the European Union, to reinforce the security of digital transactions and payments, imposing the use of at least 2 authentication factors (2FA) to verify the identity of the Users who carry out a banking operation.
In Strong Customer Authentication (SCA / Strong Customer Authentication) it is required to have at least 2 factors among the following: software development
- Something you know (password or pin),
- Something you have (card or mobile) and
- Something you are (biometric recognition),