Recently a feed came across my desk about a lawsuit filed against AT&T claiming they are responsible for a sim card security breach.
This is just an acceleration of one of several instances where sim cards were used to perpetrate what is called swap fraud. But this one made the news because of who is suing. It happens to be a person with deep pockets. The suit is asking for more than $220 million in damages.
It is unlikely that the suit will be successful unless AT&T is found grossly negligent. Moreover, having done work in cybersecurity, I can tell you that the blame for this type of fraud is hard to pin, entirely, on a single entity.
However, let us talk, for a moment, about sim card swapping. First of all, the consumer has played a large part in creating this sim card-swapping environment by demanding a platform-agnostic phone ecosystem where they can swap out phones easily. That led to your being able to buy any compatible, unlocked, GSM smartphone, insert a sim card, do a few dances and, voilà, you are fully connected once again. However, that has created a massive opportunity for fraud.
Sim card fraud is not a new phenomenon but has bubbled to the surface lately due to the explosion of data on social media sites. It is amazing how simple it is for hackers to obtain a sim card for a phone or account that they have no access to. In many cases, all the hacker has to do is convince the, typically, commission-hungry sales agent at most phone stores that this is their device.
While that may seem simple, it is not quite that easy. What I just wrote is the end result, but getting there, for the hacker, takes a bit more work. What makes that a bit easier is that many people now link a ton of confidential data to their telephone numbers. Therefore, their telephone number becomes the primary target, and the subsequent vector, for hacking their personal data.
How hackers go about this is quite interesting. There are a couple of primary ways they accomplish this. One is that they actually target someone. How they decide on whom varies but, generally, they are someone they know or have knowledge about. Once they target someone, they can use a variety of methods, direct mail or phishing emails (we have all received some of these), for example, to try to get more personal data; such as legal names, relatives, birthdays, and, especially, their telephone number(s). What is alarming is that many people are more than willing to provide such data without any qualification of the requestor.
Another method is to scrape social media sites. Social media sites are a cornucopia of foolish users who provide intimate details as well as private and personal information around everything and anything about themselves. This, still, in spite of the latest social media carnage involving Facebook, Google, and others.
Once the hacker has enough data they, simply, create a false identity, they use that identity to request a replacement sim card and activate it. Once they have that sim card, they have access to everything associated with that phone!
However, here is where the rub lies. It would seem that it is extremely simple to do all of this and there is no guard band in place. That, of course, is not true. The MNOs do have some security measures in place. However, without face to face, they have to rely on customer-supplied data, which was just stolen.
This ends up being a catch 22 in some ways. Just how much authentication should the providers require of the users? Moreover, where is the negligence threshold with the user level of implementing authentication? Again, back to all that has happened around social media and Internet security breaches, millions of devices still have admin as the login and 123456 as the password.
Progress is being made, however. Things like embedded sims, International Mobile Subscriber Identity (IMSI), two-factor authentication (2FA), and biometrics, such as fingerprint and facial recognition, are coming online. So are AI algorithms that add intelligence such as user pattern recognition.
However, in the end, the MNO, banks and other organizations can only do so much. While they have been lax in the past, their measures are beginning to come up to what needs to be done. Going forward the real solution lies with the user. The word of the day is diligence. Keep your personal and private data secure. Use good security options. Ultimately, always be mindful of your critical data.