Recently, a friend of a friend fell victim to SIM Swap Fraud. This type of fraud occurs when the perpetrator uses social engineering techniques to convince your phone company, the mobile provider, to re-provision your SIM or replace it and send the new one to the perpetrator. This renders your current SIM inoperable on the cellular network, and it may take time for you to discover this, since we spend most of our time connected via Wi-Fi.
Once the SIM is under the attacker’s control, that person can then scour popular social media, mail, and banking services and initiate a “password reset” or “forget password” process. Since they have your number, they can act as if they were you by intercepting SMS-based two-factor authentication, effectively stealing your online identity.
With the stolen identity, they can scan your emails to discover other sensitive items that may assist in further solidifying their access. For financial services, they can now log in as you and begin transferring your hard-earned funds out of your accounts, effectively stealing your money and assets.
We have all heard horror stories, such as those featured in TD Stories. However when someone that you know either directly or indirectly is affected, it really hits home, and you start asking how you can be further protected.
I have done some things in the past, such as giving out a secondary phone number managed by VOIP.ms, which was forwarded to my primary (hidden) cell phone number. However this ultimately proved ineffective, because there is just too much additional friction for services that really do require your actual mobile phone number, such as most financial services.
I have also created an account PIN with Koodo, my mobile network provider. This is a six-digit PIN that the service representative will authenticate before performing any account changes including a SIM re-provisioning or port to a different carrier. Note that this is different from the SIM PIN which just protects information on your SIM card.
After some research, I found that Koodo is now offering Port Fraud Protection. This morning I called Koodo and after about thirty minutes, I now have this protection on all of our phone numbers provided through Koodo. Your mobile provider may have a similar plan, and I highly encourage you to check it out and enrol if possible.
I also inquired about policies to prevent certain social engineering techniques while I was on the phone with the Koodo service rep. After our discussion, I can now summarize the current protection I have in place with Koodo.
I have a six-digit PIN on my service account. This means if anyone tries to impersonate me to change my account in any way, they will need to use my PIN. If they claim to have forgotten the PIN, they will need to provide a driver’s license or credit card information to validate. I am not comfortable with this, so I requested a special instruction to be added to my account. If a valid PIN is not provided, the service rep should instruct the caller (myself included) to visit the Koodo store to have the PIN reissue. This will ensure a face to face validation is performed with a proper photo ID check.
I also added the Koodo Port Fraud Protection, which essentially prevents anyone including the account owner (me) to “automatically and seamlessly” port my numbers. This will add some inconvenience if I want to port to another carrier in the future. I will have to call into Koodo and remove this protection first. It is just another step and barrier to anyone unauthorized trying to cause me harm, but for the sake of safety, I am willing to take on this minor inconvenience.
Even with all of this, the threat persists. We still rely on proper behaviour of Koodo employees who have the power to perform a SIM swap or provision. Unfortunately this is not within my control. Therefore, we still have to be diligent in reducing our threat surface. I would recommend the following:
- Use a two-factor authentication scheme that is not tied to your phone number. It can be tied to your phone such as Passcodes or One-Time Passwords generated through a security application on your phone;
- Reduce your withdraw limits and credit limits of your credit cards so that they are manageable in case they are lost;
- If you are in a position to develop a personal relationship with your banker, then you should do so. They can alert you if they notice something strange is going on. They also add a personal touch by recognizing your voice and your behaviour in addition to the institutional security policies;
Good luck in reviewing your own circumstances and I hope you learn something here to strengthen your own SIM security and reduce the SIM Swap Fraud threat.
Note: Since my parents are on Virgin Plus, I thought I link to their policies as well.