.png){kind=spacer}
According to a recent news report, a San Francisco man lost $1 million — 90 percent of his life savings — in a matter of minutes when a hacker took over the victim’s mobile phone. This is just one of thousands of SIM swap scam incidents, which involve a new technique designed to access information protected by multifactor authentication.
Multifactor authentication requires a user to provide at least two types of credentials to verify the user’s identity and provide access to an account. For example, you provide a username and password but also have to enter a code that was sent to your mobile device via text. Many banking customers now have mobile numbers linked to their accounts for this purpose.
In this case, the man’s mobile phone showed a “no service” message. When he contacted his carrier, he was told there was a SIM swap request. Basically, a hacker got the carrier to share the SIM number from the victim’s phone.
Some carrier representatives can be fooled with social engineering, while others can be bribed. Phishing emails are also used to collect information about the victim so the hacker can create a false identity and trick a customer service rep into activating a SIM card on their behalf.
Once your SIM is obtained, the hacker can then redirect calls and text messages, steal any credentials or password reset information shared through those channels, and access your financial accounts.
The only way to tell if you’re a victim of a SIM swap scam is after the fact when you can’t access your wireless carrier to make a call or send a text. At that point, it’s probably too late. The hacker has deactivated your SIM and your financial accounts likely have been cleaned out. The San Francisco man’s money was traded into bitcoin and immediately withdrawn.
Although SIM swap scams are more prevalent overseas, they’re on the rise in the U.S. And with more and more employees using their personal phones for work, SIM swap can affect businesses just as much as consumers. While banks have implemented protections, the best defense against these scams is a layered security approach that uses multiple controls working in concert.
For example, encrypted messaging applications make it more difficult to snoop on text messages. There are also authentication tools that verify credentials without using text messages. Of course, employees should be educated about SIM swap and have a documented process to follow if such a scam is suspected.
The ICG standard managed services plan incorporates a bundle of security services that includes firewalls, virtual security software, email protection, web filtering, antivirus and password protection. Options include multifactor authentication, incident response assistance, security awareness training and more.
In addition, servers and remote desktops are hosted in the ICG Cloud, where they are managed and protected. No data is stored locally on end-user devices. The ICG team also provides maintenance of infrastructure software and networking equipment and white glove support.
SIM swap scams can drain financial accounts in minutes and put sensitive data at risk. Let us show you how our security strategy can help prevent your environment from being compromised.
