Earlier this members of a “sim-swapping” gang accused of targeting the smartphones of Hollywood celebrities were arrested in a joint U.K. police and U.S. FBI investigation, as The Daily Telegraph reported. Eight arrests were made in England and Scotland. At the same time, reportedly ‘thousands’ of victims were identified.
Sim-swap fraud is where a criminal tricks your mobile network into transferring your phone number to a SIM card in their possession. In other cases, SIM numbers are changed directly by telecom company employees bribed by criminals
Commenting on the practice for Digital Journal, OneSpan’s Senior Director of Product Management, Mark Crichton, explained what is behind these activities: “SIM swap attacks continue to raise serious questions about the security of SMS for use in multi-factor authentication that, in some cases, passes on the problem of securing online accounts to mobile network operators.”
He adds that from his company’s security work “We often hear about mobile network operators being duped into swapping the phone number which locks victims out of their online accounts and allows these bad actors to steal money, digital assets, or personal information from their victims.”
In terms of lessons to learned from these issues, Crichton cautions: “Users should be wary about using SMS as their primary form of two-factor authentication.”
In terms of solutions, Crichton is relatively optimistic, finding that: “Many financial institutions have already started to make the switch to Mobile PUSH notifications, which are inherently more secure than SMS. Mobile PUSH notifications have the added benefit of being protected with application shielding technology, while providing banks with a stronger interface for a frictionless user experience that meets customer’s demands in this increasingly digital age.”