FBI notices sharp increase in SIM-swapping attacks leading to over $68 million of damages...

Humza

Posts: 1,026   +171
Staff member
The big picture: In a public service announcement, the FBI revealed an alarming increase in SIM-swapping-related crimes, causing over $68 million worth of losses to the US public in 2021. As more consumers tie the access and recovery of their online accounts to a phone number as 2FA, attackers get around the added security measure by maliciously employing another SIM in the user’s name and diverting all data like calls, recovery texts and OTPs to a device of their choice. In addition to using strong 2FA methods like authenticator apps and physical security tokens, the FBI’s advisory also recommends that people avoid sharing personal and financial details on social media sites and forums.

One evidence of the rapid increase in SIM-swapping attacks is the number of related complaints received by the FBI last year. Between January 2018 and December 2020, a total of 320 such complaints were filed that led to losses of $12 million. However, in just 2021 alone, that figure rose sharply to $68 million following 1,611 SIM swapping complaints.

Although SMS-based 2FA adds an extra layer of security to an account, the approach has long been considered risky as mobile carriers can still be tricked by attackers into switching a user’s phone number to a SIM card of their choice, either through malware or impersonation.

A SIM-swap victim might also bring it upon themselves by advertising their financial assets on social media and public forums. This includes sharing cryptocurrency investments too, as noted in the FBI’s advisory.

Of course, users can always do a better job of picking passwords (and a password manager), as well as employing stronger 2FA methods that aren’t SMS-based. App-based authenticators that generate codes, or code-less implementations like Google’s have been shown to boost account protection.

Moreover, the FBI also recommends that mobile carriers educate and train employees on SIM swapping, and deploy stricter measures to verify genuine user requests related to switching numbers to a new device.

Permalink to story.

 

QuantumPhysics

Posts: 6,306   +7,248
I truly applaud apple for not bowing down to any app-maker or government which would allow them to compromise my security and privacy.

I enjoy having the biometric / password/ pin based access to my password manager - as well as my device and having phone number combined with biometrics and pin as a recall strategy.

I can honestly say I personally haven't been hacked or suffered identity theft.

Unfortunately, if someone has access to your physical device, all bets are off.
 

psycros

Posts: 4,546   +6,837
When almost anyone can set up a fake MVNO service from anywhere on Earth, the burden of protecting customers is on the carriers, NOT the end-user. 2FA doesn't do a damn thing to stop SIM-spoofers from redirecting your service.
 

ScottSoapbox

Posts: 445   +809
I truly applaud apple for not bowing down to any app-maker or government which would allow them to compromise my security and privacy.

I enjoy having the biometric / password/ pin based access to my password manager - as well as my device and having phone number combined with biometrics and pin as a recall strategy.

I can honestly say I personally haven't been hacked or suffered identity theft.

Unfortunately, if someone has access to your physical device, all bets are off.
You missed the entire point of this article.

The vulnerability is your wireless carrier moving your phone number to a different SIM (I.e., phone) than the one you own.

Apple vs Android has *nothing* to do with it.
 

Plutoisaplanet

Posts: 885   +1,412
There were just 1600 complaints for the entire United States, though who knows how many attacks were actually executed (I'd guess 5x or 10x more). I'd still say that's a small problem until we get to 10k+ complaints. This looks like child's play compared to ransomware.
 

brucek

Posts: 1,344   +2,022
I truly applaud apple for not bowing down to any app-maker or government which would allow them to compromise my security and privacy.

I enjoy having the biometric / password/ pin based access to my password manager - as well as my device and having phone number combined with biometrics and pin as a recall strategy.

I can honestly say I personally haven't been hacked or suffered identity theft.
Congratulations on not being interesting enough to be a priority target and/or deluded enough to think you'd know. Read any of the NSO Pegasus reports for a publicly known example of an attack against your Apple phone for which you had no defense and no obvious warning sign you've been compromised. And you've got to assume that for every one that comes to light, there's dozens more that crooks and spies and police are keeping for themselves.

As others mentioned you'd also have little defense against another SIM being issued for your phone number by a telco employee who was tricked or paid. (Why aren't they at least required to try and ping any existing SIMs for the same account with a notification of an incoming new one?)

I do agree that I think Apple cares and tries to protect you where it can. Increasingly though I think the deck is stacked in favor of the attackers, particularly the sophisticated ones (ie governments) who are hunting specific small groups and taking pains for there to be no visible signs of them having done so.
 

antiproduct

Posts: 261   +336
Probably best for everyone to check with their cell phone carrier to see what security features can be turned on to prevent this attack. A couple years back I found info about the "noport" feature that could be turned on for T-Mobile, basically once it was turned on, it supposedly needs to have you go to a T-Mobile store to confirm your identity to remove it. Hopefully it's stayed on line that over the years. I'd imagine (hope) that other carriers have a similar security option available.
 

BadThad

Posts: 1,275   +1,550
One of many reasons I don't use a cellphone for more than calls and light texting. I don't like 2FA in general, it's a PITA and when I'm forced, I use email or LAN phone - anything outside of my cell.

The number of people these days doing everything on their phone is insane to me. Especially those that use only debit cards. I have NEVER viewed cell phones to be a secure device. One little mistake and you get owned. I don't ever have that problem on my PC!
 

Dimitrios

Posts: 1,102   +908
One of many reasons I don't use a cellphone for more than calls and light texting. I don't like 2FA in general, it's a PITA and when I'm forced, I use email or LAN phone - anything outside of my cell.

The number of people these days doing everything on their phone is insane to me. Especially those that use only debit cards. I have NEVER viewed cell phones to be a secure device. One little mistake and you get owned. I don't ever have that problem on my PC!

I never thought deep into it like that. Makes sense since whatever you can do on a desktop PC you can fully do on cell phones. Be it my job, friends,family and customers. I notice more people using their phones for a wide range of things. My family uses their phones to even do taxes!

I notice that muggers seem to always grab your wallet and phone and mugging someone they don't wanna carry your desktop PC away ;-) Being serious these fast pace people just don't care or really think about it.They are the easy vulnerable ones as well.
 

zamroni111

Posts: 378   +218
I truly applaud apple for not bowing down to any app-maker or government which would allow them to compromise my security and privacy.

I enjoy having the biometric / password/ pin based access to my password manager - as well as my device and having phone number combined with biometrics and pin as a recall strategy.

I can honestly say I personally haven't been hacked or suffered identity theft.

Unfortunately, if someone has access to your physical device, all bets are off.
Enable SIM PIN security
 

pmshah

Posts: 196   +49
This is what happens when your entire process of getting a sim is without any kind of security. We in India can't even buy a new sim / connection without first getting confirmation of one's biometric ID a per their records. You can't change the linked phone number with any bank or financial service provider without first confirming this request on the original number. We have no such thing as stupid burner phones used essentially by mafia, terrorists and scamsters. We have no way of hiding caller ID. What is so difficult to carry a credit / debit card for use at POS ? BTW I have disabled "Tap and Pay" functionalities on ALL my credit and debit cards. These are all "Chip & Pin" type cards. I get details by email for each and every transaction. I also get a text message for the transaction AND for any request for change in contact / linked number. My bank account linked phone never leaves home. I need it only for online transactions that I do from my desktop. I have ZERO banking or other payment apps on my phone. Are people just so plain dumb that they get scammed so easily?
 

kiwigraeme

Posts: 1,388   +1,030
I do wonder about these attacks - normally this relies on a social hack of someone's carrier .

For it to work on me - you need to convince my carrier and my bank - to 1 divert number to new Sim. Plus that new phone to be registered by the bank.

Now someone could say phone is broken - but surely a carrier can see it pinging or call it .
If said stolen - why shouldn't carrier still be required to phone it .

Anyway treat your phone like cash , same as your visa card - don't leave it lying around unlocked etc

Still better than those with no 2FA
Another bank of mine does not have 2FA - as default - but when I do a large transfer - if will do another of my security questions , think it may text me sometimes in that situation ( but it's not required to log in , or small transfers )

Banks here in NZ - may even put an international transfer on hold - until they phone and speak to you - never happened to me - but read stories of people complaining about being scammed again and again and again to their imaginary lover - yet the bank kept telling them 5 payments back it was a 100% scam
 

bviktor

Posts: 1,146   +1,683
Phone numbers were NEVER meant to be a means of identity verification, that's the thing. Phone companies are not the police either.

Use authenticator apps for 2FA, whenever possible.
 

tonylukac

Posts: 1,388   +72
I don't think phones have a firewall. Also, it's about time they implemented the credit card chips for websites. Square sells such a device for $30. Any rogue website gets your credit card # & all bets are off.