The New York Times reports that identity thieves are increasingly using ‘SIM swap’ phone account takeovers in order to access the electronic wallets of individuals known to possess large amounts of cryptocurrency. Having taken control of a phone number, the criminals can then gain access to the victim’s online accounts by instigating password resets which rely on sending details to the victim’s phone. People who deal in cryptocurrency can be identified by information they share on social networks, and are at risk because they may hold large amounts in online accounts which are relatively easy to take over. Huge sums of money can potentially be transferred in an instant, and the dangers are heightened by the fact that cryptocurrency transactions cannot be reversed.
Per the NYT, organized criminals have systematically targeted their victims:
“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur.
Mr. Weeks lost his phone number and about a million dollars’ worth of virtual currency late last year, despite having asked his mobile phone provider for additional security after his wife and parents lost control of their phone numbers.
The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists.
To my mind, this further demonstrates why the anti-fraud teams in telcos need to measure the losses suffered by customers as well as the losses suffered by the business. Though the additional security burden may increase some of the telcos’ costs, it is good for them to be associated with confirming the identity of every individual. SMS messages for one time passwords may not be a huge source of additional revenues, but telcos will benefit if everybody in society increasingly relies upon devices connected to our networks.
If the phone is a hub for many aspects of a person’s life then telcos have superior opportunities to provide products and services built upon our unique knowledge of the customer. That opportunity will be jeopardized if customers need to switch to alternative methods to authenticate themselves that lie beyond the visibility of the telco. Whatever the objectives of the criminals, SIM swapping will always be blamed on telcos who make it too easy for imposters to take control of somebody else’s phone number. This is a weakness that telcos need to address, even if we will never suffer the losses directly.
I have dealt with this type of fraud in the past and it also goes back to customers being Phished. There are a number of steps in the process which allows the fraudster to carry out the fraud, ultimately it will lead to a sim swap but if the Phishing emails are thorough enough and depending on the online services offered by Telcos, a sim swap may occur without ever getting to a ‘weak’ call centre agent. Although, Social Engineering has its part to play in this also. Banks have pushed the blame to Telcos and in some cases to Customers for not taking the proper precautions when responding to the phishing emails.