While phishing attacks remain one of the most prevalent attack methods for cybercriminals, new threats continue to emerge.  As mobile devices become more ubiquitous, fraud utilizing these devices will only continue to rise. RSA, one of the largest cybersecurity companies in the world, recently found that 60% of fraud originates from mobile devices.  And while 80% of mobile fraud comes from downloaded apps, an even more pernicious scam has emerged.

Nine individuals, eight of which live throughout the U.S. and one of which lives in Ireland, were recently charged with online identity theft and other related charges.  “The Community,” as the group is known, are alleged to have committed identity theft through a tactic called “SIM Hijacking.” The group utilized two methods to gain control of the victims’ phone numbers–they bribed mobile phone provider’s employees to obtain a copy of the victim’s SIM card or they called the providers posing as the victim of phone theft and requested that the victim’s phone number be swapped to a different SIM card.

Once in possession of a SIM card controlling the victim’s phone number, the Community was able to route calls and SMS text messages to devices the Community controlled.  The Community would then gain control to online email, cloud storage, and cryptocurrency accounts, many times using the victims’ phone numbers to reset passwords or bypass two-factor authentication codes.

According to the recent indictments, the Community conducted at least seven attacks that resulted in the theft of over $2 million in cryptocurrency.

How Can You Prevent This from Happening to You?

  1. Use a SIM PIN – A SIM PIN is one of the most effective ways to protect your SIM card if cybercriminals have physical access to your lost or stolen phone. A SIM PIN prompt appears anytime the phone is restarted or whenever the SIM card is inserted into a new phone.
  2. Use an Authenticator App – Apps such as Authy, Google Authenticator, 1Password and others use a six-digit code from the authenticator app, eliminating the need to text codes. Use the authenticator app for all providers that allow them. Many financial institutions do not allow the use of authenticator apps, in which case email authentication is the best choice.
  3. Use a PIN for Your Mobile Provider Account – Mobile providers typically allow you to create a PIN for use when you want to access your account.  If a SIM scammer does not know your mobile provider account PIN, the provider should not provide the scammer with any account information.

The BLACKCLOAK Team is here to provide the advice and guidance you need to protect your phone and SIM cards.  Let us know how we can help.