I am speaking at a conference in one of my favorite cities (okay, it’s Chicago) and I was having dinner at the bar when the patron next to me asked me what I do for a living. I am a friendly sort of person and like to meet new people, so I told her what I do and she asked me for three cybersecurity tips. I started with my first one, which is about online banking. After a brief explanation, she commented that I am very scary. No, I am not scary—bad guys and gals make my profession scary.
This Privacy Tip is a bit scary, but it’s not my fault.
Security professionals are all about multi-factor authentication and I am a believer as well. Multi-factor authentication is when there is a second level of authentication to prove that you are actually you and not some hacker who is pretending to be you. Most companies implement multi-factor authentication for consumers to get into sensitive accounts, such as bank accounts, mobile telephone accounts, and other financial accounts where fraud can occur, and organizations use multi-factor authentication for employees to get access to company information. Many companies use customers’ or employees’ mobile telephone numbers for the second authentication and will send a text or code in order to get into the account. The thinking is that you are the only one who has access to your mobile phone and therefore, it is really you and they can trust that it is you and give you access if you have the code.
Well, criminals will continue to come up with ways around security measures, and they have done so with using mobile phone numbers as the second authentication validator.
The fraud is the SIM card swap. Several individuals were arrested recently for using the SIM card swap fraud to steal millions of dollars of cryptocurrency, including one individual who lost over $24 million from a SIM card swap.
Here’s how it works: every cell phone has a SIM card. That’s basically the guts of your phone that makes it work. That SIM card can be popped into any compatible phone, so when you buy a new phone, the SIM card is swapped out to the new phone, so you can use the new phone. A SIM card swap happens when the SIM card of your phone is taken and put into someone else’s phone, and now your phone is hijacked.
Okay, it can’t be done online. But it is done more frequently than you think—with the help of employees at the mobile telephone stores who are paid by the fraudsters to swap the SIM cards.
How do you know if your SIM card has been swapped? Your phone goes dead. And now the criminal has your mobile phone number which has been linked to your bank account, your employer’s VPN, your social media accounts, your music and video accounts, etc. and can change all of the passwords and credentials linked to the mobile phone number.
Three tips to prevent SIM card swapping or limit its risk: 1) Don’t let the employee at the mobile telephone store have access to your SIM card outside of your presence and witness the swap in person; and 2) protect your mobile account from SIM card swapping by activating a personal identification number with your mobile telephone provider; and 3) Don’t attach your mobile telephone number to high risk accounts.
Scary, but better to be armed with solutions than be a victim.