Politicians, celebrities, consumers and influencers. Any person can become a target for the SIM Swap fraud.
Also known as SIM Swapping, the SIM Swap fraud consists in transferring a user’s cell line to a blank chip (SIM). From that, hackers can have total control of the victim’s phone, allowing the interception of calls and messages, the invasion of bank accounts and social media, and even the theft of cryptocurrencies.
The fraud has made headlines for the past two years, after victimizing Twitter’s CEO, Jack Dorsey. Today, it consolidates as one of the main cybersecurity threats in Latin America, worrying mobile phone companies in the region.
In this scenario, investing in Information Security has become increasingly important for companies in the sector and other companies that deal with customer’s sensitive data.
SIM Swapping: How the chip exchange happens?
The SIM Swap fraud can happen by different means.
The strategy most used by digital criminals is requesting the operators to port a phone number to another device, transferring control of the number to the criminal. The process, which many times doesn´t request much information besides name, cell phone number and birthday, is made without complications, even because it is originally intended to serve customers when buying a new device, losing or breaking the phone.
Another way used to access the device is counting on a specific database, improperly marketed by third parties in violation of user privacy laws, with information about mobile numbers, mainly from authorities, celebrities and politicians, to cyber criminals. In this context, the invader doesn’t even need social engineering to obtain information about the victim, and the path to extortion and exposure of victims is more easily opened.
Number of cell phones justify vulnerability to SIM Swap fraud in Latin America, says survey
Since 2019, the SIM Swap fraud has considerably grown in Latin America, becoming one of the main digital security threats in the region.
According to surveys from the mobile phone industry, 4 out of 5 attempts to change a chip are successful.
At the time, another survey, prepared by the GSMA, obtained some interesting data that could justify the increasing number of SIM Swap fraud cases worldwide. According to the study, titled Mobile Economy 2019, approximately 5.1 billion people own a cell phone. The amount corresponds to 67% of the world population.
Talking about Latin America, where the incidents have occurred with great frequency, the survey claims that the region appears in 4th place in the ranking of places with the most mobile devices of this type, with 67% penetration.
The scenario, again, highlights the need of companies to expand their cybersecurity investments, as well as educate employees and customers on how to handle sensitive information.
SIM Swap fraud: How companies and customers should protect themselves?
To mitigate the risks of SIM Swap fraud, experts give some tips for companies and customers.
Companies
Talking about companies, the main recommendation is that CEOs and executive leaders train their employees and prepare them so that the company is in conform with the General Data Protection Law (LGPD, in Portuguese). Such a recommendation becomes even more important taking into consideration the fact that, in Brazil, less than 30% of companies prepare their employees for the LGPD.
Besides that, it is worth remembering that 25% of a company’s sensitive data leakage are caused by internal agents, like collaborators and partners, either accidentally or intentionally, according to IBM data.
Another recommendation for companies to reduce the risk of chip exchange fraud is through solutions that reduce the response time of calls. Although experts claim that some Latin American operators already have a more robust process to prevent SIM Swap attacks by detecting SIM reissuance/mobile phone change based on the IMSI-IMEI-MSISDN correlation, these professionals say it is essential to use technologies that help to shorten the response time of the calls, reducing the potential damages for the victim.
Customers
Customers, by themselves, can decrease the vulnerability of SIM Swap risks through the use of two-factors authentication.
The two-factor authentication is nothing more than a resource offered by many online service providers that add an additional layer of security to the account login process by requiring the user to provide two forms of authentication. The first – in general – is their password. The second factor can be anything, depending on the service. The most common case is a SMS or a code that is sent to an email. However, experts draw attention to using factors other than SMS, since the feature uses the mobile number as a security factor.
Another tip is being aware of phishing scams and USSD (Unstructured Supplementary Services Data) attacks, which aim to obtain personal information. Therefore, it is valid to be suspect of suspicious emails, not to click on unknown links or to download unsolicited documents and files.
In case of any doubts, these professionals recommend that the customer contact the company through official channels that seem to want to communicate with you.
Checking the security certificate of websites and apps as well as changing passwords regularly can also increase fraud protection.
Lastly, personal data, like ID and cell phones, should be carefully shared and never publicly.
SIM Swap Check: Solution helps companies to fight against bank frauds and reinforces DNK-Infobip partnership
To help companies mitigate the risks of SIM Swap fraud, Latin America companies can count with the SIM Swap Check solution.
The solution, provided by our partner Infobip, consists in checking if a cell phone number recently changed SIMCard, which can be an indicator of a subscription fraud.
Based on personal data obtained through phishing or other social engineering means, criminals can pass as the victim and steal their phone numbers in operator stores. When a new SIMCard is activated, the crook installs financial apps and tries to log into the victim’s accounts. Some apps offer the solution for proof of identity by sending a password via SMS to a registered number. As the criminal is temporarily controlling the victim’s number, he receives the token by SMS and accesses the bank.
Through the SIM Swap Check, the banks check with the teles, in real-time, if a determined number changed the SIMCard in the last 12 or 24 hours. In a positive case, can take prevention measures, like requiring other ways of authentication to validate a transaction or simply block it.
Having understood the importance of ensuring the security of customers and companies’ information, DNK understands the importance to ally with strategic partners, like Infobip,to offer what is the best in customer service, with maximum security and respect for the standards required by the LGPD.