With SIM swaps receiving so much attention these days, I needed to find an antidote to the wild and erratic scaremongering of the ignorant mainstream media. Luckily, the ever-reliable Brian Krebs has written a long and thoughtful piece on SIM swaps following interviews with members of the REACT Task Force, a specialist law enforcement team that works in California and which has prioritized SIM swaps recently. You should just read the whole article by Krebs, but these are some key observations worth reiterating.
A lot of crime does not mean a lot of criminals
As common as SIM swapping has become, [REACT supervisor Sergeant Samy] Tarazi said he and other members of REACT suspect that there are only a few dozen individuals responsible for perpetrating most of these heists.
The most lucrative targets are the most obvious targets, and vice versa
SIM swapping attacks primarily target individuals who are visibly active in the cryptocurrency space. This includes people who run or work at cryptocurrency-focused companies; those who participate as speakers at public conferences centered around Blockchain and cryptocurrency technologies; and those who like to talk openly on social media about their crypto investments.
The criminals are conscious of the benefits of targeting money that cannot be traced
REACT Lieutenant John Rose said… even though a successful SIM swap often gives the perpetrator access to traditional bank accounts, the attackers seem to be mainly interested in stealing cryptocurrencies…
“…[the attackers] are predominantly interested in targeting cryptocurrencies for the ease with which these funds can be laundered through online exchanges, and because the transactions can’t be reversed.”
Fraudsters work in collusion with insiders
Caleb Tuttle, a detective with the Santa Clara County District Attorney’s office, said he has yet to encounter a single SIM swapping incident in which the perpetrator actually presented ID in person at a mobile phone store. That’s just too risky for the attackers, he said.
“I’ve talked to hundreds of victims, and I haven’t seen any cases where the suspect is going into a store to do this,” Tuttle said.
Tuttle said SIM swapping happens in one of three ways. The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company’s network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target’s existing SIM card with a new one.
“If you’re working at a mobile phone store and making $12 an hour and suddenly someone offers you $400 to do a single SIM swap, that can seem like a pretty sweet deal if you don’t also have any morals or sense of conscience.”
The cops understand the need to balance security with pragmatism
Sgt. Terazi said a big challenge for mobile stores is balancing customer service with account security. After all, he said, customers legitimately request SIM swaps all the time — such as when a phone is lost or stolen, or when the customer upgrades to a phone that requires a SIM card of a different size.
“There are probably tens of thousands of legitimate SIM swaps a day or week, versus a couple of fake ones,” Tarazi said. “Ultimately, these attacks rely on the human element and the ability of an employee to override whatever security is in place.”
The cops also understand how to stop SIM swaps, and why corporate policies fail
Tarazi added that in many cases there’s a vast disconnect between a mobile company’s corporate offices and security policies at the local store level.
“These are multi-billion companies, and in any big company it’s fairly common that the left hand doesn’t know what the right hand is doing,” he said. “Without knowing the ins and outs of how these companies work, it’s very easy for us to say they should have two people authorizing each SIM swap. But I agree anything that makes [the criminal SIM swappers] have to show up in person to do this would ideally be the best scenario.”
It is refreshing to see such balanced insights from genuinely authoritative experts. They paint a very different, and much more believable picture of the actual risk landscape than the alarmist guff spread by the King Clowns of the mainstream media. Krebs nails the real issues, and they are consistent with the findings whenever we look at the parameters for fraud: if you have many poorly-paid members of staff in a privileged position, some will be tempted to make quick and easy money by assisting crime. And rather than panicking the public by suggesting everybody is at equal threat, the smart advice is to warn those with most to lose – such as cryptocurrency traders – not to do daft things like bragging about their wealth or saving their passwords on poorly protected documents in the cloud.
The most obvious way people can protect themselves from potential losses due to SIM swaps is to refuse to use services provided by businesses that continue to rely on SMS messages to provide two-factor authentication or one-time passwords. This most straightforward consumer protection advice would drive positive change if it was widely acted upon, but some prefer consumers to feel helpless rather than empowering them to choose between the businesses that protect their interests and the businesses which cannot be bothered.
Krebs’ article is well worth reading through. So go read it!