Jacked in the box!
“Simjacking” is currently a crime with few victims. But the growth of a digital-first economy will make it more prevalent unless service providers act decisively, says Rob Otto, EMEA CTO at Ping Identity.
The story from late last year of Jack Monroe, best-selling food writer and anti-poverty campaigner who was defrauded of around £5000, (€5663) has shone a light on the insecurity of the short message service (SMS) and simjacking.
In Monroe’s case, cyber criminals are believed to have fraudulently ported her mobile phone number onto another Subscriber Identity Module (SIM) card. This was then used in another phone to access financial accounts which were believed to have been secured by SMS message exchange for two-factor authentication (2FA). The details of which financial accounts and the cellular network that was involved in this attack have not been released but simjacking is not new and other high-profile victims include Jack Dorsey, CEO of Twitter and YouTube vloggers, Shane Dawson and James Charles.
Simjacking, also called Port-Out scam and SIM splitting, is part of a growing number of account takeover (ATO) attacks that aim to steal from victims through either direct transfers or through purchasing goods using some form of charging account.
The scale of the problem is difficult to gauge but the issue has clearly evolved from isolated incidents to more organised crime. In 2019, 20-year-old Joel Ortiz of Boston was sentenced to 10 years in prison for stealing more than US$5 million (€4.6 million) in cryptocurrency from around 40 victims.
Cryptocurrency accounts have proven a popular target due to less stringent online access controls and the inability to trace where the proceeds of thefts have been hidden. However, as more organisations start enabling financial transactions through SMS-based authentication methods, the issue is likely to grow.
At the route of the problem are two failures; one of procedure and the other of technology. Allowing cellular network subscribers to easily move between networks and retain their phone numbers is great for competition and enshrined in UK law. If a customer wants to change provider, loses or breaks their phone, they can buy a replacement, and ask their mobile service provider to port their original phone number to the new phone. In this procedure, the provider will ask for some security information to make sure the subscriber is genuine, before transferring the phone number to the new SIM card.
However, this identity verification step is not always carried out in the most rigorous manner as Watchdog, an investigative TV show on BBC TV, found out in 2018 when it managed to trick staff in stores at two major mobile networks to issue new SIMS without proper ID checks. In some cases, porting of a SIM can also be carried out online by logging into the subscriber account – often with just a username and password, or from the handset with an SMS message plus 4-digit pin. All methods that are far less secure than any bank would use to secure access to an e-banking account.
Since the Watchdog investigation, most of the UK networks have strengthened controls on requesting a Porting Authorisation Code (PAC) but the issue of accurately asserting identity remains. Based on a Freedom of information request, the City of London Police reported that there were 237 reports mentioning SIM swap in 2017 which rose to 252 in 2018.
The other problem is technology. Although better than just a username and password, SMS as a medium is not particularly secure in comparison to dedicated Multi-factor Authentication secure apps that banks such as First Direct have deployed as part of their e-banking platforms.
When a factor challenge is made with SMS, the sender has no way of knowing if the phone has been simjacked or if another person is using the handset. Although smartphones increasingly have locking methods including various biometric controls, these are all in vain if the SMS is being sent directly to the criminal.
Dedicated secure apps with built-in MFA instead create a secure channel that although it still uses the cellular networks, is routed to an application that is independently locked to the handset and then secured via separate password and/or biometrics. Even if the SIM is cloned or hijacked; the app cannot be installed and activated without a validation step instigated by the bank – in most cases by identity checks carried out by a service desk agent. Lastly, these dedicated apps also check to see if the phone has been tampered with – a process called jailbreaking, which might indicate that malware is trying to intercept banking credentials.
These secure apps are growing in popularity as more organisations start to realise the vulnerability of relying just on SMS. Although these apps are slightly more expensive to deploy than just SMS – they have been found to effectively eliminate the risk of simjacking.
Reducing crimes such as simjacking is just one part of a wider Customer Identity and Access Management (CIAM) push by a growing number of organisations that includes retailers and banks. The aim is to securely capture and manage customer identity and profile data, and control customer access to applications and services – to not just bolster security but also to make online transactions more frictionless to gain customer trust and loyalty. The industry is reacting and the CIAM industry is expected to be worth $37.79 billion (€34.76 billion) by 2023.
With massive competition within the market, mobile networks and financial services operators that embrace CIAM sooner rather than later are set to attract a growing set of customers that value security as a significant service differentiator and value added benefit.
The author is Rob Otto, EMEA CTO at Ping Identity.