A new hacking threat has emerged involving the illicit swapping of SIM cards, the plastic chips that authenticate customers on mobile networks. Criminals call users and impersonate the companies to glean personal information, which they use to hijack the chips and customer accounts, paving the way for online banking fraud and international calling theft.
The scam represents a growing threat to the global telecommunications industry, which is projected to lose $46.3 billion to fraud in 2013, or about 2 percent of total revenue, according to the Communications Fraud Control Association. Account takeovers such as SIM-card switches are one of the most common types of fraud, and may rack up $3.6 billion in losses this year, almost triple the amount in 2011, the CFCA estimates. Attackers are definitely getting more advanced,a mobile-security researcher at Gartner Inc. “It’s almost like stealing at a bank -- going right in and doing it in person. It’s very personal.”
Like fraud attempts known as phishing, the SIM card attacks start with a phone call or e-mail designed to elicit personal data from the wireless customer. The attackers do their homework in advance, researching victims’ names and addresses and creating convincing stories. Once they have extracted sensitive details, such as Social Security numbers, they call the wireless providers and request to have the victims’ SIM cards switched to new devices. The victims’ phones go dead and the hackers’ devices light up.
Scams against wireless carriers often involve stealing service for international calling, without the difficulty of establishing new accounts in victims’ names. Having access to SIM cards also lets criminals intercept security codes sent via text message for online banking and other services, making more sophisticated identity theft possible.
SIM card fraud is in its infancy and will become more prevalent as access to wireless networks expand worldwide and people use smartphones more as their primary computing devices
Distinguishing Scams
The challenge for wireless carriers is distinguishing between a legitimate SIM-card swap and a fraudulent one. Customers switch SIM cards all the time when they upgrade phones, and with the right information, a scammer can complete the process over the phone in minutes.
Keith Carter is a typical victim. The scammers who targeted the 35-year-old Atlanta resident racked up more than $2,600 in charges for calls to Cuba, Guinea and Gambia after Carter accepted a call Aug. 12 purporting to be from an AT&T representative. The caller promised him a discount on his next bill if he would answer some customer-satisfaction surveys.
The survey sounded legitimate and the caller had personal information, such as Carter’s address, so the telecommunications company manager said he didn’t think twice when the caller asked for the last four digits of his Social Security number -- the piece of information needed to access his account and switch his SIM card.
No Service
The next day, he noticed his iPhone had no service. He got a new SIM card for the phone the following day, yet the international calling continued, according to an interview with Carter and a copy of his bill. Carter plans to dispute the charges, and he said he’s looking for a new wireless provider.
AT&T said the scam affecting its network is being driven by groups selling the stolen cellular services online.
Text Alerts
In South Africa, SIM-card swaps are one of the final steps in attacks targeting the banking information of Vodacom customers. Vodacom sends text messages to all customers requiring confirmation of a SIM card swap, and these attacks are “extremely rare” in comparison to other types of fraud affecting the carrier
Spoofed Call
The caller wasn’t from AT&T and the number had been spoofed, a process where the caller routes the call through a service that makes it appear to come from somewhere else, the Sawyers said. By 10 p.m., all four phones on their family plan were dead. Hundreds of calls to different numbers in Gambia quickly appeared on their account, they said.
The sisters -- who three years ago uncovered an Internet-routing flaw in AT&T’s wireless network that was causing Facebook Inc. (FB) users on mobile phones to be directed to the wrong password-protected accounts -- began to investigate online, and discovered that they were probably the victims of a scam, and that they weren’t alone.
Filed Complaint
With the latest incident, the sisters contacted AT&T, which on Sept. 23 issued a public statement about the threat. The Sawyers say they have filed a complaint against AT&T with the FCC for failing to alert them about SIM card swaps.
Emily Edmonds, an AT&T spokeswoman, declined to comment on the sisters’ FCC complaint. She directed questions to the FCC, which didn’t return a message amid the federal government shutdown.
“It’s not right to drive by an accident where someone’s hurt, and it’s not right if your SIM card gets hacked and you don’t do something to prevent it from happening to someone else,” Mari Sawyer said in an interview.
While Mari Sawyer said she erred in giving personal information to the caller, she said AT&T should have informed her about the SIM-card change before allowing it to proceed.
“Corporate responsibility is important and it’s something that we as consumers should be able to expect,” she said. “We should expect that they want to make money but we should also expect that they’ll do it the right way.”
The scam represents a growing threat to the global telecommunications industry, which is projected to lose $46.3 billion to fraud in 2013, or about 2 percent of total revenue, according to the Communications Fraud Control Association. Account takeovers such as SIM-card switches are one of the most common types of fraud, and may rack up $3.6 billion in losses this year, almost triple the amount in 2011, the CFCA estimates. Attackers are definitely getting more advanced,a mobile-security researcher at Gartner Inc. “It’s almost like stealing at a bank -- going right in and doing it in person. It’s very personal.”
Like fraud attempts known as phishing, the SIM card attacks start with a phone call or e-mail designed to elicit personal data from the wireless customer. The attackers do their homework in advance, researching victims’ names and addresses and creating convincing stories. Once they have extracted sensitive details, such as Social Security numbers, they call the wireless providers and request to have the victims’ SIM cards switched to new devices. The victims’ phones go dead and the hackers’ devices light up.
Scams against wireless carriers often involve stealing service for international calling, without the difficulty of establishing new accounts in victims’ names. Having access to SIM cards also lets criminals intercept security codes sent via text message for online banking and other services, making more sophisticated identity theft possible.
SIM card fraud is in its infancy and will become more prevalent as access to wireless networks expand worldwide and people use smartphones more as their primary computing devices
Distinguishing Scams
The challenge for wireless carriers is distinguishing between a legitimate SIM-card swap and a fraudulent one. Customers switch SIM cards all the time when they upgrade phones, and with the right information, a scammer can complete the process over the phone in minutes.
Keith Carter is a typical victim. The scammers who targeted the 35-year-old Atlanta resident racked up more than $2,600 in charges for calls to Cuba, Guinea and Gambia after Carter accepted a call Aug. 12 purporting to be from an AT&T representative. The caller promised him a discount on his next bill if he would answer some customer-satisfaction surveys.
The survey sounded legitimate and the caller had personal information, such as Carter’s address, so the telecommunications company manager said he didn’t think twice when the caller asked for the last four digits of his Social Security number -- the piece of information needed to access his account and switch his SIM card.
No Service
The next day, he noticed his iPhone had no service. He got a new SIM card for the phone the following day, yet the international calling continued, according to an interview with Carter and a copy of his bill. Carter plans to dispute the charges, and he said he’s looking for a new wireless provider.
AT&T said the scam affecting its network is being driven by groups selling the stolen cellular services online.
Text Alerts
In South Africa, SIM-card swaps are one of the final steps in attacks targeting the banking information of Vodacom customers. Vodacom sends text messages to all customers requiring confirmation of a SIM card swap, and these attacks are “extremely rare” in comparison to other types of fraud affecting the carrier
Spoofed Call
The caller wasn’t from AT&T and the number had been spoofed, a process where the caller routes the call through a service that makes it appear to come from somewhere else, the Sawyers said. By 10 p.m., all four phones on their family plan were dead. Hundreds of calls to different numbers in Gambia quickly appeared on their account, they said.
The sisters -- who three years ago uncovered an Internet-routing flaw in AT&T’s wireless network that was causing Facebook Inc. (FB) users on mobile phones to be directed to the wrong password-protected accounts -- began to investigate online, and discovered that they were probably the victims of a scam, and that they weren’t alone.
Filed Complaint
With the latest incident, the sisters contacted AT&T, which on Sept. 23 issued a public statement about the threat. The Sawyers say they have filed a complaint against AT&T with the FCC for failing to alert them about SIM card swaps.
Emily Edmonds, an AT&T spokeswoman, declined to comment on the sisters’ FCC complaint. She directed questions to the FCC, which didn’t return a message amid the federal government shutdown.
“It’s not right to drive by an accident where someone’s hurt, and it’s not right if your SIM card gets hacked and you don’t do something to prevent it from happening to someone else,” Mari Sawyer said in an interview.
While Mari Sawyer said she erred in giving personal information to the caller, she said AT&T should have informed her about the SIM-card change before allowing it to proceed.
“Corporate responsibility is important and it’s something that we as consumers should be able to expect,” she said. “We should expect that they want to make money but we should also expect that they’ll do it the right way.”
0 comments:
Post a Comment