Security News
Cross-border investigations, Europol announced on Friday that it's arrested more than two dozen people suspected of draining bank accounts by hijacking victims' phone numbers via SIM-swap fraud. As we've explained, SIM swaps work because phone numbers are actually tied to the phone's SIM card - in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.
Europol, along with the Spanish and the Romanian national police, has arrested 26 individuals in connection with the theft of over €3.5 million by hijacking people's phone numbers via SIM swapping attacks. The law enforcement agencies arrested 12 and 14 people in Spain and Romania, respectively, as part of a joint operation against two different groups of SIM swappers, Europol said.
Europol, along with the Spanish and the Romanian national police, has arrested 26 individuals in connection with the theft of over €3.5 million by hijacking people's phone numbers via SIM swapping attacks. The law enforcement agencies arrested 12 and 14 people in Spain and Romania, respectively, as part of a joint operation against two different groups of SIM swappers, Europol said.
European authorities managed to crack down on two cybercrime gangs responsible for stealing millions by employing SIM hijacking. To perform SIM hijacking, hackers trick the victim's wireless operator into swapping the mobile phone number to a SIM card the attackers control.
SIM swapping typically involves crooks tricking cellular network support staff to transfer victims' smartphone numbers to the criminals' own SIMs, and then using those numbers to reset passwords, or get two-factor authentication tokens, via text messages, and ultimately access and drain cryptocoin accounts. Admins using Cisco gear in their networks will want to head over to Switchzilla's security portal and check for applicable updates among the latest batch of 28 patches.
SIM hijacking - or SIM swapping - is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Sometimes this involves people inside the phone companies.
Mobile carriers have left the door wide open to SIM-swap attacks, particularly when it comes to prepaid accounts, researchers have found. According to PhishLabs, a typical attack would start with an attacker phishing personal and banking information - often via SMS phishing, which has the added benefit of confirming that a victim's cell phone number is an active line.
Five major U.S. prepaid wireless carriers - AT&T, T-Mobile, Verizon, Tracfone and US Mobile - are using poor account authentication procedures and techniques that leave their customers open to SIM swapping attacks, according to researchers at Princeton University. Their report, "An Empirical Study of Wireless Carrier Authentication for SIM Swaps," also examined 145 websites, including social media platforms, email providers and cryptocurrency exchanges, which use phone-based authentication to identify a user's identify.
Weak security measures in place at several major wireless carriers in the United States make it easy for attackers to perform SIM swap attacks on prepaid mobile accounts, a recent study found. In a SIM swapping attack, social engineering is used to convince a wireless services provider to hand over control of the victim's phone number by modifying the SIM card attached to the phone and mobile account.
Four Princeton University eggheads have published a report showing that the five major US mobile carriers implement weak authentication techniques, leaving customers vulnerable to SIM-swapping attacks that transfer victims' phone numbers to devices controlled by scammers. In a paper [PDF] titled, "An Empirical Study of Wireless Carrier Authentication for SIM Swaps," Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan looked at how AT&T, T-Mobile US, Tracfone, US Mobile, and Verizon Wireless handle requests to change the SIM card associated with mobile phone numbers.