Wireless carriers need to make changes to combat SIM-card fraud

Process of switching SIM cards creates vulnerabilities, according to experts


U.S. carriers will need to adjust security tactics soon to combat an emerging threat in which criminals hijack SIM cards used to authenticate mobile phone customers on wireless networks, experts say.

[Social media, mobile phones top attack targets]

The fraud starts with criminals calling a carrier's customer and tricking him into divulging personal information. The data is then used to fool the company into deactivating the subscriber's SIM card and reopening the account on the fraudster's phone.

The trick is unusual because it takes advantage of a weakness in the process carriers use for switching SIM cards. Many carriers do not use a second form of authentication, such as requiring an email confirmation before making a SIM-card switch over the phone or online.

Until changes are made, SIM-card fraud will be a "continuing threat," Lawrence Pingree, analyst for Gartner, said Monday.

"It really boils down to whether or not cellular carriers change their tactics," Pingree said, noting that the scam is "more of a business process security exploit."

U.S. carriers that have been affected by such scams include AT&T, according to Bloomberg.

AT&T did not respond to a request for comment.

To fool victims, the crooks do their homework and usually have enough personal information, such as the person's name and address, to come off as legitimate.

If the conmen are successful in getting the last four digits of a person's social security, which is often used for authentication, they then call the wireless carrier and request the SIM card switch. Such swaps are a common practice in activating new phones.

The majority of people in the U.S. do not use their mobile phones for banking or other forms of commerce, so SIM-card fraud to date has only been used to make international calls.

Because such calls are not very profitable, experts believe fraudsters are currently experimenting with techniques that have been used in Europe and Africa to crack online banking accounts.

"I very much get the feeling that these are guys who are importing a fraud technique and trying to adapt it to the U.S. to see how they can make money," Marc Rogers, principal security researcher for Lookout, said.

Outside the U.S., SIM-card fraud has been used to intercept the one-time personal identification number (PIN) banks often send via SMS to customers for logging into online accounts or making money transfers. In such cases, criminals already have the victim's user name and password, often bought in an underground marketplace. Banks use the PIN as a second form of authentication.

In general, SIM-card fraud is in its infancy and it's use is expected to evolve where a hijacked card could be used, for example, in sending texts to premium rate numbers or breaking into online accounts other than banking, Rogers said.

"The bad guys are constantly adapting," he said. "They're always trying new things."

[Seductive technology: What are its implications for data security?]

The worldwide communications industry is projected to lose $46.3 billion from fraud this year, roughly 2 percent of global revenue, according to the Communications Fraud Control Association. Taking over phone accounts is one of the top five frauds and is expected to cost carriers $3.6 billion this year.

To combat criminals, carriers have to become more flexible and be ready to adjust tactics as attackers change theirs. "Security is the art of war," Pingree said.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)