Earlier this month, the U.S. Securities and Exchange Commission (SEC) attributed a breach of its official account on X (formerly Twitter) to a SIM swap attack. On January 9, 2024, an unauthorized party gained control of the @SECGov account and posted a fake announcement, falsely claiming that the agency had given approval for the first-ever spot bitcoin exchange-traded funds (ETFs).
Subsequently, the cryptocurrency market experienced significant fluctuations, with bitcoin prices initially surging to nearly $48,000 from a daily low of just above $45,000. However, once the SEC clarified that it had not yet approved the Bitcoin ETF, prices rapidly dropped below $46,000.
Following the incident, and after a two-day evaluation in collaboration with the SEC’s telecom carrier, it was concluded that an unauthorized party had gained control of the SEC cell phone number linked to the account through what appeared to be a SIM swap attack.
A SIM swap occurs when a phone number is moved to another device without the owner’s consent, granting unauthorized access to SMS messages and voice calls meant for the victim.
After gaining control of the phone number, the unidentified individual proceeded to reset the account password. Due to the absence of multi-factor authentication (MFA) on the SEC account, the SIM swap and subsequent password change were the sole steps required to attain complete access to the agency’s account.
What’s especially notable about this attack is not just the brazen nature of it–attacking one of the world’s most important financial regulatory organizations (the SEC oversees and governs more than $350 trillion in fixed income, equity trading and other financial transactions). Rather, the ease with which these fraudsters applied the SIM swap attack indicates the issue should be a top concern for all organizations.
As reported in the FBI’s 2022 Internet Crime Report, incidents of SIM swap fraud surged to unprecedented levels, affecting over 2,000 individuals and resulting in losses exceeding $72 million. This marked a 25% increase compared to the reported 1,600 cases in 2021.
Consumer complaints about port-out and SIM-swapping fraud lodged with the FCC and FTC are consistently on the rise annually. In a notable case from early 2022, around 6,000 TracFone customers had their numbers transferred to other carriers, leading to some customers losing access to their numbers for up to 12 days.
While mobile carriers and law enforcement agencies are working to adapt to these threats, attackers are also enhancing the sophistication of their efforts. The progression of porting attacks can be attributed to factors such as the availability of personal data on the dark web, the use of social engineering tactics and shortcomings in current porting procedures.
To comprehend the mechanics of a SIM swap, it’s crucial to understand the function of a SIM card. A Subscriber Identity Module (SIM) card is a diminutive electronic chip used in mobile devices, including smartphones, tablets and some other connected gadgets. Essentially, it serves as a portable memory chip securely storing information necessary to identify and authenticate a subscriber on a mobile network.
The primary role of a SIM card is to establish a link between the mobile device and the cellular network provider. It contains vital data, including the subscriber’s unique identification number, authentication keys, network authorization details and other pertinent information. This data is integral for the network to recognize and validate the subscriber, granting them access to voice, messaging and data services.
Upon inserting and activating a SIM card in a compatible device, the device is allowed to connect to a specific cellular network. This connection empowers the user to make calls, send messages and access the internet using the services provided by the network. SIM cards also facilitate features such as roaming, permitting subscribers to use their devices on other compatible networks during international travel.
Initiating a SIM swap typically involves the attacker initially collecting personal information about the victim, including their full name, date of birth, address and other details, employing methods such as social engineering, phishing or exploiting data breaches, as explained below.
Armed with this personal data, the scammer contacts the victim’s mobile network provider, assuming the victim’s identity. They claim to have lost their phone or SIM card and request the transfer of their number to a new SIM card. The attacker may present stolen personal information to persuade the provider to initiate the transfer. Additionally, instances have been documented where phone carrier employees, motivated by bribes, engage in illegal SIM swaps.
Once the mobile carrier (e.g., Verizon, T-Mobile or AT&T) accepts the attacker’s assertions and transfers the victim’s phone number to the new SIM card, the attacker gains control over the victim’s phone number. This enables them to intercept calls, text messages (particularly those containing one-time passwords) and other communications directed to the victim’s phone number.
SIM swapping scams pose a significant security threat, as they empower attackers to seize control of a victim’s digital identity, compromise their accounts and engage in financial fraud or other malicious activities.
To thwart account takeovers (ATOs) driven by SIM swap attacks, organizations must safeguard passwords and one-time passwords/passcodes (OTPs) by actively assessing the trustworthiness of transactions in real-time, utilizing phone number intelligence and associated trust indicators.
By using stolen information, scammers deceive mobile carriers into executing SIM swaps. Following a SIM swap (also known as SIM jacking), fraudsters request and intercept OTPs from the victim’s bank accounts, cryptocurrency holdings and social media profiles. Subsequently, they gain unauthorized access to these online accounts, swiftly emptying funds and often engaging in additional identity theft activities such as acquiring new credit cards or loans. While individuals can take some preventive measures against SIM swaps, the primary responsibility lies with financial institutions, banks and companies to enhance their two-factor authentication systems.