In recent years, the attacks SIM swap have demonstrated their full effectiveness. ENISAthe European Union Agency for Cybersecurity, continues to denounce its dangers by providing concrete advice to avoid falling into the trap of cyber criminals.
The practice of SIM swapping is configured as one computer fraud which involves the fraudulent replacement of a user’s SIM or eSIM card with a different one, under the direct control of the attacker. These attacks succeed when the attacker manages to convince the victim’s mobile operator to transfer phone number of the victim on a new SIM in the possession of the cybercriminal himself.
Suppose that during a cyber attack the attacker has already recovered the correct username and password for accessing a account online. With the practice of SIM swap, he can also take possession of codes sent via SMS for two-factor authentication. Thus being able to access the personal areas of other users.
We have already said that sending an SMS is comparable to sending a paper post card: everyone can read its contents. Anyone who uses SMS as a second factor is responsible, in our opinion, in the event of security violations. In fact, there is no more reckless practice than using traditional SMS in two-factor authentication mechanisms.
The case of the employees of a telecommunications operator contacted to facilitate SIM swap attacks
According to various reports published on Reddit and the testimonies collected by colleagues of The Mobile Reportseveral employees of the well-known telecommunications operator T-Mobile would have been contacted in order to implement activities SIM swapping on the numbers of unaware customers. At present, obviously, there is no confirmation as to whether any unfaithful employee responded to the “call”. What happened, however, cannot help but sound like a further important event alarm bell.
Messages sent by cyber criminals offer 300 dollars for each SIM swap activity. The communications, transmitted to the employees of the famous provider, arrive from different geographical numbers, making the identification of the sender complex.
In the text of their communications, the cybercriminals inform that the T-Mobile employee’s phone number was previously acquired from a directory. If this were true, it would mean that the list of T-Mobile employees, along with their personal dataappeared online – somewhere (probably on some site .onion) – in the past.
According to initial checks, the list of employees used by the attackers contains information on the company’s staff but also references to people who no longer collaborate with the company. The database used could therefore be at least a few months old.
Contacted by The Mobile ReportT-Mobile responded: “We have not had any breaches on our systems. We continue to investigate these messages that are sent to solicit illegal activity. We know that other wireless service providers have reported receiving similar messages“.
What it means for customers with mobile accounts
The news that has spread in recent hours is certainly not reassuring for owners of mobile users. It is true, in fact, that in Europe the new AGCOM rules for the portability of telephone numbers aim precisely to neutralize the effectiveness of SIM swap attacks. But there can always be cases of disloyal employees who, to earn some extra money, are enchanted by the “Siren song” of cybercriminals.
As we have mentioned in many of our articles, the general rule would be not to give credit to information received via SMS. The content of SMS should always be considered “untrusted” that is to say not reliable.
For online services that use thetwo-factor authentication, it is essential to verify that they do not rely on SMS as a second factor. For this purpose, for example, you can use OTP codes generated on a mobile device or on a desktop. Configuring access to various online services can be done via Google Authenticator, Microsoft Authenticator or the excellent open source Aegis app.