CISO Corner

Personal Mobile Device Scams

AUTHOR: Wayne Hines

Background 

Personal Identity theft is the fraudulent misuse of an individual’s name or personally identifying information for criminal or deceptive purposes.  Identity theft is not new, however, there is  a continued increase in complexity and tailoring of these scams for use in a digital environment.  Identity theft represents a huge impost to the economy, to business, to institutions and individuals. 

Users, administrators and operators of any Information System platform must be especially vigilant for identity theft.  Administrators and operators of user authentication platforms such as Duo, even more so.  As such there is a need to report suspicious unexplained activity that you may observe in daily operations. 

SIM Swap Attacks 

System administrators and operators should be aware of an increasingly preferred method for beginning a cyber-attack is to conduct a ‘SIM swap’ attack, where an attacker assumes your identity with your mobile phone telecommunications provider, then uses this stolen identity to gain access to other assets.  

The relative ease of conducting a SIM swap attack is a reason not to use SMS messages as a means of identity authentication.  It is for this reason UNE’s Multi-Factor Authentication (MFA) now excludes using SMS messaging as a means of authentication for general users. 

How does it happen 

A SIM swapping attack occurs when an attacker convinces a victim’s mobile phone carrier to port the victim’s mobile phone number to a device the attacker owns. At this point, they can receive phone calls and text messages intended for the victim. The attacker will then use this to gain further access to any account that is protected using the victim’s mobile phone number. This can include anything from an email account to other online accounts ranging from social media to banking and even cryptocurrency. 

One of the key factors allowing this to happen so easily is that Australian mobile carriers are required to allow a customer to move their phone number to other carriers easily. For customers who have had phones lost or stolen, or who want to upgrade to a new phone, they offer hassle-free porting of mobile phone numbers to other devices. This provides convenience for the customer but has introduced a serious attack vector.  

Tell Tale signs of a ‘SIM swap’ attack include 

  1. A legitimate but unexpected communication from your mobile phone telecommunications provider, informing you a request to move  your mobile number to a different carrier, has been received.   
  2. A legitimate but unexpected communication from your mobile phone telecommunications provider, informing you a request to change personal information about you has been received. 
  3. Unexpected and sustained loss of phone service to your mobile phone, particularly if other users of the same carrier are nearby and have no loss of service  Check the reason for loss of service is not due to loss of contact between your SIM card and your phone.  Taking your SIM card out and reinserting can often fix this issue.  Occasionally SIM Cards do fail, so don’t assume loss of service means a SIM swap attack is happening. Check that the phone bill is paid.   

What to do if an attack is suspected 

  • Contact the mobile phone provider immediately through a trusted method; 
  • Contact any other entities (e.g. banks) as needed to protect your assets through a trusted method; 
  • Report the incident through usual UNE reporting channels; 
  • Change all Passwords to your accounts. 

The Reality 

The following are recent examples of such a scam in action and the outcome. 

News story 1 

An Adelaide schoolteacher lost her entire life savings – a whopping $43,000 – in a “sophisticated” hack that could happen to anyone. 

Debra*, who requested her real name not be used, had her world turned upside down at the end of 2019 in a single text message. 

The 36-year-old South Australian had just booked a trip to London when her mobile phone suddenly lost signal. 

She had fallen victim to a SIM swap hack, where a cyber-criminal had remotely gained control of her phone by impersonating her to her telecommunication provider, Optus, and asking for an eSIM . 

Currently, most phone companies including Optus only need the customer’s full name, date of birth, phone number and address before authorising a SIM swap. 

By the time Debra woke up the next morning, there was only $200 left in her account. Transaction records showed the other $42,900 had been transferred out in eight instalments to several international accounts over the course of less than two hours. 

News story 2 

The first time this user noticed anything wrong was when his mobile phone suddenly lost service.  It came out of the blue, there was no explanation. 

Where he’d normally see connectivity bars on his iPhone 12 Pro, there was just an “SOS” displayed – the term used by telcos to show a mobile phone has been cut from the network. 

Mysteriously, his connection to Optus was gone. 

His hard-earned lifesavings, around $35,000, would also soon vanish, siphoned off by a hacker to a cryptocurrency exchange and then converted into untraceable Bitcoin. 

The Sydney nurse didn’t know it but while he’d been busy working a morning shift at Westmead Hospital, in Sydney’s west, helping sick patients, he’d become the victim of a devastating sim swap, also known as simjacking or a sim hijack. 

A hacker was permitted to use private details and activate an eSIM using just the Optus online message system, without having to verify their identity face-to-face in an Optus store, which then allowed them to steal his phone number. 

Once the hacker had his phone number, they took control of all his bank accounts, raised the spend limit of a ZipPay account, attempted to do the same on his AfterPay account, and gained access to all his immigration documentation, including his UK passport. 

What are Australian Communications and Media Authority (ACMA) doing?

The telecommunications watchdog has cracked down on all telecommunication  providers for allowing SIM swap scams to occur. 

Currently, some phone companies like Optus only requires the customer’s full name, date of birth, phone number and address before authorising a SIM swap. 

ACMA announced new rules on Friday, warning that legal action will be taken against telco organisations if they’re not followed. The new requirements, called the “Telecommunications Service Provider (Customer Identity Authentication) Determination 2022”, will come into effect on June 30, 2022.  From then on Telco’s must use multi factor authentication to manage SIM swaps/changes. 

Note: 2021 saw 510 cases of SIM Swap of which 163 resulted in financial loss. 

Submit a Comment

Your email address will not be published. Required fields are marked *