An investigation led by NCA Cyber Crime with the help of the US Secret Service, Homeland Security Investigations, the FBI and the Santa Clara California District Attorney’s Office concluded with the arrest of eight people charged with illegally gaining access to the phones of high-profile victims in the US through a technique called “SIM swapping.”
In SIM swapping attacks, criminals get ahold of a victim’s phone number and private information, allowing them to trick cellular network operators, usually over the phone, to assign the number of a new SIM card. Other techniques are used, such as social engineering or access to an insider. With control over the phone number, attackers can bypass SMS two-step authentication to compromise social media and financial accounts.
The investigation uncovered a network of criminals in the UK working together to access victims’ phone numbers and control their apps or accounts by changing the passwords.
“This enabled them to steal money, bitcoin and personal information, including contacts synced with online accounts,” said the NCA Cyber Crime officers. “They also hijacked social media accounts to post content and send messages masquerading as the victim.”
“NCA and US investigators notified individuals when they had been targeted and where possible, prior to the criminals managing to cause any damage,” they explained. “The victims were then advised on how to prevent the impending attack.”
Some of the criminals gained direct access to financial information and bank accounts, then siphoned funds. In other situations, when the criminal also compromised social network accounts, they would ask for money from known contacts.
In total, eight people have been arrested in England and Scotland.
People are not as helpless they believe in the face of such attacks. For one, people should use other types of two-factor authentication if available. SMS two-factor authentication is better than none at all, but it should be used as a last resort. In many countries, customers can also instruct the networks not to make changes involving the account over the phone. People can also set passwords for interactions with the operators, erecting yet another wall that criminals have to bypass.