SIM swap fraud is a fast, invasive, devastating form of theft—and it can happen to anyone. One tech entrepreneur lost $23.8 million in under 10 minutes. Twitter CEO Jack Dorsey lost control of his own Twitter account to SIM swappers in a public relations nightmare. These high-profile targets, with seemingly unlimited resources for tech protection, couldn’t stop SIM swap fraud, so how can you? Simple—with ZenKey.
What Is SIM Swap Fraud?
Also known as SIM-jacking, SIM-splitting, SIM-hijacking or port-out scamming, SIM swap fraud is where a victim’s phone number is taken over by a fraudster using social engineering to circumvent the safeguards that many apps, websites and wireless providers have in place. By canceling a victim’s SIM card (subscriber identity module card) and transferring control of the victim’s phone number to their own SIM card, the fraudster can change the victim’s usernames and passwords in order to access their bank accounts, apps and more.
How Does SIM Swap Fraud Work?
A SIM swap fraudster typically obtains information about their victim before perpetrating the attack. Phishing emails, malware, phone calls, the dark web and social media are all tools of their trade. The fraudster uses the information they’ve gathered to social-engineer a customer care representative from the victim’s wireless carrier.
Here’s how that looks:
1. Call. “Frank the Fraudster” uses information about “Vince the Victim” to convince “Carol at Customer Care” that Frank is Vince. Even if Frank doesn’t know all of Vince’s info, just knowing something like the last two phone numbers that called Vince’s phone can be enough to convince Carol—especially if Frank placed those last two calls himself.
2. Switch. Now that Carol has verifying information, Frank requests that Carol transfer Vince’s phone number to a new SIM that Frank holds. Carol thinks she is talking to Vince and has no reason not to comply—she’s just trying to provide good customer service to someone who she thinks is a loyal customer in need of help.
3. Distract. Usually a fraudster like Frank will try to convince customer care that the “old SIM” is damaged or lost. The point here is to create a believable story, as SIM swap fraud relies on circumventing tech protections by targeting the human vulnerabilities of customer care—in this case, Carol
4. Control. Convinced, Carol transfers Vince’s phone number and officially associates it with the new SIM, which Frank possesses. Frank now has complete control of Vince’s wireless account—plus Vince’s phone no longer works, making it harder for him to figure out what’s going on—or stop it from happening.
5. Reset. Using his own phone with the new SIM, Frank navigates to Vince’s online banking site and follows the “forgot password” prompt to gain access to Vince’s account.
6. Exploit. Banks typically send one-time passcodes (OTPs) via text message to verify identity before allowing a password change. Frank intercepts this passcode because Vince’s number is assigned to Frank’s SIM card. He is then easily able to access Vince’s bank account.
7. Take. Once inside Vince’s bank account, Frank transfers money into his own account. Frank sometimes takes extra steps to avoid security checks, such as setting up a second bank account under Vince’s name. Large transfers would undergo less scrutiny in this case and might not trigger any alarms.
How Does ZenKey Prevent SIM Swap Fraud?
The Federal Trade Commission (FTC) provides some helpful tips on how to prevent SIM swap fraud—including using OTPs—but ZenKey sees a need for even more protection. The problem is that with traditional OTPs, a user is verified simply by having access to a phone number. Unfortunately, as we’ve learned, the person who service providers expect to receive an OTP isn’t always the person in possession of the phone number the OTP is sent to. In other words, even though the OTP is meant for Vince, Frank has access to Vince’s number, and thus, the OTP
But what Vince almost always has access to is their actual phone with the embedded SIM card. ZenKey takes advantage of this by replacing traditional number-based OTPs with a device-based push message. When you use our ZenKey user confirmation function to replace traditional OTPs, your business gains higher levels of assurance and confidence that the push message was delivered to the right user—on the right device. Why? Because not only is ZenKey tied to the device and the SIM card, but our registration process also makes it extremely difficult to fraudulently replicate on a fraudster’s smartphone.
When a mobile user first sets up their ZenKey account, they are required to set up, from a range of available options, at least two recovery methods. These recovery methods will be triggered when the user needs to get into his ZenKey account on a device that is different from the one on which he registered for ZenKey. Typical recovery options include:
- Establishing an alternate trusted device
- Creating a recovery code
So, if Frank the Fraudster follows the method described above to SIM swap Vince, he will find it incredibly hard to get into Vince’s bank account as long as the bank account is protected by ZenKey. Why? Because ZenKey is device-based, and Vince still has his device. This extra layer of security means Frank would have to now install the ZenKey app on his own device, re-establish Vince’s ZenKey Identity on his own device and then use it to sign in to Vince’s bank account.
In short, thanks to the recovery methods that our users are required to set up during initial registration, fraudsters will likely never succeed in getting into Vince’s ZenKey-protected accounts—no matter what their name is. That’s because, with ZenKey, both the business and their customers benefit from the decision to offer and use ZenKey as a stronger, more reliable replacement for the traditional, less secure, username and password.
ABOUT THE AUTHOR
Shailendra Dhamankar is a 14-year U.S. Wireless Industry Veteran who started with T-Mobile USA. He has been working for ZenKey as a Product Lead for Trust Services since its formation. Prior to joining ZenKey, Shailendra launched and product-managed a series of data-driven businesses for T-Mobile, one of which was in the area of fraud prevention where T-Mobile data was made available with user consent for purposes of fraud prevention.