Earlier this month, a California man named Joel Ortiz accepted a plea bargain in Santa Clara county for stealing more than $5 million in cryptocurrency using SIM hijacking.
Ortiz belongs to the hacker breed that takes over online accounts by hijacking mobile numbers of their victims. They first lock users out from their own payment wallets, e-commerce and social media accounts (where the mobile number was used for login or two-factor authentication).Read more ↓
They, then, approach them with a demand for ransom—to be paid in cryptocurrencies—with the threat of selling their account and other valuable credentials linked to it like credit card details on the internet.
The less-organized hackers will use the access to immediately draw off money from the target’s bank account or wallet.
“Once in possession of user information such as date of birth, address, Aadhaar card number, bank details or answers to security questions, hijackers can carry out fund transfers, shop online exuberantly and execute identity thefts,” cautions Venkat Krishnapur, vice-president of engineering and managing director, McAfee India.
Hackers hijack SIM connections in three ways. The most prevalent one is called “SIM swapping over a call”. In this case, they first gather information on targets—their full name, address, mobile number, date of birth, passcode or Aadhaar number — through phishing scams or leaked databases found on the dark web (that portion of the web that is not traceable by search engines).
Then they will call the target, pretending to be a customer care executive from the operator, in the name of upgrading to new services. They will ask the target to share their SIM card’s ICCID (integrated circuit card identifier) number—a 19-20 digit serial number specific to the SIM.
Once they have the details, they will call the operator, impersonating the actual user and use this information to pose as the user.
Once the SIM swap request is initiated, the operator sends an SMS for authentication and users have to acknowledge it by tapping a single key or a bunch. The hacker will tell users in advance about this SMS so the latter easily falls for it.
According to reports, a Pune man lost ₹93,000 in a SIM swap scam in November. In June, a Kolkata-based woman reportedly fell for a similar hoax call and had ₹70,000 swiped from her bank account within a few hours. Once the SIM swap is complete, the original SIM will be deactivated and the number will be active on the duplicate SIM owned by the hacker.
The second method is “SIM swapping in person” and is likely to be used by small-time cybercriminals. In this case an impostor will visit an operator’s retail outlet with fake documents pretending to be the actual customer and try to get a duplicate SIM card issued.
Another way to take control over a person’s mobile number is through SIM cloning, but that requires the hacker to have physical access to the SIM card to break the encryption keys and extract the IMSI (international mobile subscriber identity) number—a unique 15 digit code that identifies the SIM to the GSM (global system for mobile communications) network. Unlike SIM swapping, in this case both the original SIM and cloned SIM remain active simultaneously.
Cybercriminals are smart enough to understand that stealing passwords is not enough to access banking and social media accounts with the rapid adoption of two-factor authentication.
Hence, SIM hijacking provides them a platform to surpass this verification process, points out Sanjay Katkar, joint managing director and chief technology officer at Quick Heal Technologies Ltd.
SIM hijacking has recently become particularly popular because mobile numbers are being used by various applications, including popular social media platforms, as an identifier, and to enable account recovery and second factor of authentication via SMS confirmation, notes Dionisio Zumerle, senior director analyst at Gartner.
“Therefore an attacker who successfully swaps the SIM card is able to take over an account that uses that phone number as an identifier and as an SMS recipient for the second factor of authentication,” he explains.