SIM swapping

SIM swapping , also called SIM card swap, is a fraud scheme in which a hacker sneaks into a user's mobile phone number in order to be able to obtain the online identity of the victim attacked - possibly only for a short time - and impersonate the target person ( Identity theft ). As early as 2013, 2014 and 2015, fraudsters stole five-digit euro amounts in this way, the total damage amounted to over one million euros. Cell phone providers increased their security measures, especially when activating replacement SIM cards in cell phone shops via the hotline.

background

The growing importance of mobile access to the Internet goes hand in hand with the fact that one's own mobile phone number is used more and more frequently as a central identification feature of a user - in addition to or instead of an email address .

The cell phone number is used today for many online services, e.g. B. to

to make the user account accessible again if the password has been forgotten, or
as additional security to the password ( two-factor authentication ), e.g. B. with many e-mail providers or the services Amazon, Facebook, Google, Instagram and Twitter. Some online banking applications also send a TAN to the mobile phone via SMS ( mobile TAN procedure ).

On the other hand, it was only at the beginning of September 2019 that the IT security expert Sanyam Jain, GDI Foundation, found a database that contained hundreds of millions of phone numbers, each linked to the ID of the associated Facebook account, freely accessible and unencrypted on the Internet and the news portal TechCrunch reported. In some cases, names, country, gender and other characteristics were even listed in the database. Most of the affected accounts are believed to be owned by UK, US and Vietnam users. The database was taken offline soon after TechCrunch was reported, the operator could not be determined.

With the emergence of eSIM offers, Sim Swapping has received a new impetus, as it is even easier to load a virtual SIM card when you no longer need a postal address. The first major cases of eSIM swapping have already occurred and some providers have therefore integrated additional security mechanisms into their eSIM systems.

method

First of all, the attacker obtains personal data about the targeted victim. For example, SIM swapping generally requires knowledge of the name, mobile phone number and, if necessary, other data such as postal address or the access data to the online portal of the mobile phone provider. Such information can often be obtained through social engineering methods such as B. Phishing emails detected or even purchased.

A SIM swapping attack takes advantage of the fact that mobile network providers usually offer their customers a new SIM card - e.g. B. if the cell phone was lost or the SIM card has a technical defect or a new cell phone requires a different SIM card format. The previous telephone number can be transferred to the new SIM card. In a SIM swapping attack, the attacker pretends to be the actual customer to the mobile phone provider - be it in the online portal (if the attacker was able to obtain the access data beforehand) or by telephone in the customer service center (date of birth, postal address or the IBAN to identify yourself). Termination under a false name in connection with porting your number is also conceivable.

Once the fraudster has received the SIM card, they can make calls and receive text messages on the victim's cell phone number, thus gaining access to various online services on behalf of the compromised user - e. B. by means of the “reset password” service if the user is verified via an SMS or a call to the mobile device.

On August 30, 2019, for example, the Twitter user account of Jack Dorsey - inventor and co-founder of Twitter and the mobile payment service Square - was hijacked for almost an hour and racist tweets were posted on Dorsey's behalf.

With Instagram, on the other hand, it is sufficient to enter the mobile phone number belonging to the account to reset the password.

Protective measures

An awareness of the risks of phishing is essential, especially a healthy distrust of links and file attachments in alleged e-mails from the bank. In case of doubt, a question with the bank can provide clarity.

An effective protection against SIM swapping attacks is then to secure the dispatch of a new SIM card with the phone number with a customer password or a PIN code. The mobile network providers usually agree on such a customer password when concluding a contract or you can set or change it later using a corresponding form. However, if you unexpectedly no longer receive mobile data or can no longer make calls, it is recommended that you contact your mobile network operator immediately.

Apps for two-factor authentication such as Google Authenticator , Authy or small external devices such as TAN generators or Seal One that are connected via USB interface or Bluetooth offer more security than SMS .

Independently of this, SIM swapping can be prevented by blocking the option of having the password reset via SMS, if possible using the settings in the online service. One way to make passwords secure yourself is with password managers . With their help, even long passwords generated by the random number generator and different passwords for each individual online service can be stored, managed and used in a convenient and secure manner.

Web links

Facebook database on the net: What criminals can do with your cell phone number. In: sueddeutsche.de , September 5, 2019
Meike Laaff: SIM swapping: when your phone number is no longer yours. In: zeit.de , September 5, 2019

Individual evidence

↑ Harald Freiberger: Online banking: New fraud series with the mobile Tan number. In: sueddeutsche.de , August 18, 2014
↑ Harald Freiberger, Markus Zydra: Tan with pitfalls. From Tan, iTan to mTan: an overview of the most important processes. In: sueddeutsche.de , October 30, 2013
↑ Telekom confirms series of frauds in online banking. In: sueddeutsche.de , October 21, 2015
↑ Harald Freiberger, Helmut Martin-Jung: Banking on the Internet: Fraud case in online banking is expanding. In: sueddeutsche.de , October 22, 2015
^ Zack Whittaker: A huge database of Facebook users' phone numbers found online. In: techcrunch.com , September 4, 2019
↑ Facebook database on the net: What criminals can do with your cell phone number. In: sueddeutsche.de , September 5, 2019
↑ eSIM swapping - higher risk for eSIM users In: esim-karte.com , January 27, 2020
↑ Thayer: Twitter CEO Jack Dorsey's Account Hacked. In: theglobeandmail.com , August 30, 2019
↑ Facebook database on the net: What criminals can do with your cell phone number. In: sueddeutsche.de , September 5, 2019

[1] Harald Freiberger: Online banking: New fraud series with the mobile Tan number. In: sueddeutsche.de , August 18, 2014

[2] Harald Freiberger, Markus Zydra: Tan with pitfalls. From Tan, iTan to mTan: an overview of the most important processes. In: sueddeutsche.de , October 30, 2013

[3] Telekom confirms series of frauds in online banking. In: sueddeutsche.de , October 21, 2015

[4] Harald Freiberger, Helmut Martin-Jung: Banking on the Internet: Fraud case in online banking is expanding. In: sueddeutsche.de , October 22, 2015

[5] Zack Whittaker: A huge database of Facebook users' phone numbers found online. In: techcrunch.com , September 4, 2019

[6] Facebook database on the net: What criminals can do with your cell phone number. In: sueddeutsche.de , September 5, 2019

[7] eSIM swapping - higher risk for eSIM users In: esim-karte.com , January 27, 2020

[8] Thayer: Twitter CEO Jack Dorsey's Account Hacked. In: theglobeandmail.com , August 30, 2019

[9] Facebook database on the net: What criminals can do with your cell phone number. In: sueddeutsche.de , September 5, 2019