How the SIM Swap Fraud Works
Florence the Fraudster wants to go on a shopping spree, but she is short on cash. Her plan: a simple SIM swap to get control of a device where she can then access payment apps to start making some card-not-present (CNP) purchases.
Her first step is the SIM swap itself. She visits her favorite dark web sites and purchases the name, address, and phone number of a good consumer, Natalie the Normal. Next step is a little social media trolling, learning everything she can about Natalie. She likes windsurfing and lives in Myrtle Beach, South Carolina.
Florence then calls the contact center for the phone carrier, ready to social engineer her way into a SIM swap.
“My phone fell out of my pocket,” she explains, “while on the chair lift. In the middle of the mountain. It’s buried under six feet of snow, I’m sure. I won’t be able to find it until Spring.”
While the contact center agent offered sympathetic sighs, he refused to continue helping Florence when she failed to provide Natalie’s mother’s maiden name.
After a little more social media sleuthing, Florence saw that Natalie recently attended the Martin Family Reunion. Mother’s maiden name? Check.
Florence calls back, gets a different contact center agent, and she gets through the verification process without a hitch. She convinces the contact center to port the number to her new device.
Natalie’s device had electronic payment apps on her phone. Her first step is logging into a free email service and creating a new email account: NatalieWindsurfs12321@gmail.com. Florence then clicks on “forgot username” link, and she is sent an SMS one-time password to the phone she’s taken over. Once she verifies the phone number, she changes the account email address to the new one she created and resets the password.
And now the fun begins. Florence uses linked credit cards to make large purchases and have them shipped to her neighbor’s house. As soon as the packages are shipped, she’ll log into the shipper’s site to change the address to her own.
Florence also transfers money from Natalie’s bank account to a new account she created just for this purpose. She walks to the bank, withdraws her funds, cancels the account, and walks away with cash in her pocket and a shopping spree in her future.
How to Identify a Potentially Malicious SIM Swap
SIM swap schemes are becoming more and more popular, and stopping them can be rather difficult, especially when phone carriers don’t want to cause extra friction for those good customers who really did drop their phones off a chair lift into six feet of snow.
iovation has tools to help prevent SIM swaps through alternative authentication and verification solutions.
- Push notifications: Leverage a multi-factor authentication tool like iovation’s LaunchKey to send a push authorization to the existing device asking whether or not they verify the request from a new device. If the authorization comes back as “no” then you know that the person trying to port the number is a scammer.
- Device reputation: Run a quick verification test with FraudForce device reputation to determine if the “new” device is a known device with a history of legitimate use, or if it has been used in the past for any type of fraud. Check on any brand new devices attempting to access existing accounts with device age and new account rules, and identify a potential geolocation mismatch when you compare the original phone network location and the phone’s current location. Odd velocity patterns or anomalous behaviors on the new device may also indicate something questionable is happening, as would the use of a proxy or mobile emulator.
- Email verification: Verify the validity of the email address and look for other anomalous behavior patterns across the network. If an email address is created on the same day that a phone number is ported to a new device, or if a disposable email address is used, that may also indicate something suspicious is happening.