Sim-swap fraud question

Discussion in 'mobile device security' started by empleat, Oct 19, 2020.

  1. empleat

    empleat Registered Member

    Joined:
    Oct 19, 2020
    Posts:
    4
    Location:
    Czech Republic
    Hey,
    not sure where to post this question...
    I was just thinking, you know there is sim-swap fraud, where hacker creates new sim card with your number at operator. Do you know what would be next level? If attacker said, he lost phone and created new sim-card. Than he would say: he found it and re-activated old sim-card, after he got what he needed... That way, victim didn't have to notice, that he/she lost a service!

    I don't know whether, or not this is possible. I read couple articles about sim-swap fraud and never read about it. So once new sim is created, older one cannot be activated maybe. Anyone knows how is ito_O

    Thanks!
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm sorry but I don't understand. From what I understood, in a SIM swapping attack, a hacker convinces the mobile phone provider to put your number on a new SIM card. So now the hacker is in control of your number and can bypass 2FA if he also knows your passwords. However, a smart mobile phone provider will first send a SMS to verify if the hackers actually owns the mobile phone.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    As mentioned above; the better providers will send texts and emails to all KNOWN contact points/phones on the existing cell phone account first. If they all demanded a 24 hour period BEFORE the swap that would protect against 99% + of these sim swaps. So in my case there would be a pile of phones and email accounts getting notified of an attempted sim swap. It would be a few short minutes before I would bring that scam to a halt!
     
  4. empleat

    empleat Registered Member

    Joined:
    Oct 19, 2020
    Posts:
    4
    Location:
    Czech Republic
    That's good to know, i will ask my operator, if they do that. It was irritating me, because even if you are not a high profile target, it can happen to anyone. What if he said: he lost a phone, would they would send sms anyways? I guess they would anyway, but dunno.

    Yeah unless hacker would use 2FA to hack your email account and delete message. If forget to check email once per 24 hours... But that would be a good idea and help in most cases i think. But if my operator doesn't do that and doesn't send notification about that. Is it possible once you make a new sim, to ask to reactivate an old one? And return a new one, say: you don't want to pay for it and re-activate old one. It is little bit ridiculous tho, not sure, if that is possible.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Wouldn't work. I have six phones on my account and ALL of them get an instant text on ANY sim swap. 2FA hack isn't going to get anyone inside my email because I use true U2F to open all of my email accounts.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes good point, seems like I didn't think this thru. But I hate having to use my smartphone for 2FA, it's ridiculous that so many websites are still using SMS for 2FA, while everyone knows that SIM swapping is a serious threat. A better solution would be 2FA being performed by the device itself, but then it's not "pure" 2FA, see link. But it would at least tackle the SIM swapping problem.

    https://www.pcworld.com/article/322...wo-factor-authentication-from-your-phone.html
     
  7. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    It's not about the phone but card, so forget phone stealing that would put you on alert immediately, one possible option is that you do get drunk and wake up after a day with lost phone and teeth

    I just read a very detailed and long report about the phenomenon twice (it was a good read), so two sim cards cannot work together at the same time.

    A new card is cloned. Physical access to card is not needed but is super useful of course. Ergo not always stealing, sb you trust can ask you to borrow phone or very likely sb with your data and documents goes to the mobile phone company store and makes a new card on your name. "Legally" and "officially" so to speak. This the main thing. Not stealing of phone but identity theft. And, after cloning the hacker doesn't need victim approval to take small amounts of money periodically to stay under the radar from you, from bank sec systems etc

    Not a problem for most:
    A victim can take notice of his card not working. The problem is on the rise but in real confirmed cases I read about, the bank worker called the victim to let him know something is not right and alot of ppl didn't loose any money. But it's on the rise so it's very likely profitable, but very likely won't happen if the bank is any good and you check on your stuff and if the card seller is not an idiot. The bank also blocks any suspicious IPs with tons of false positive and using artificial intelligence to monitor weird behaviours. But lots of banks suck as well as many ppl don't cope well with certain things so it's factually super profitable for crooks
     
    Last edited: Nov 4, 2020
  8. wildlights

    wildlights Registered Member

    Joined:
    Nov 21, 2019
    Posts:
    23
    Location:
    czech republic
    Some providers would even ask for a valid ID
     
  9. empleat

    empleat Registered Member

    Joined:
    Oct 19, 2020
    Posts:
    4
    Location:
    Czech Republic
    Yeah I heard stories. I think - someone provided only IMEI and number and they gave him a new SIM. Here are some anecdotes: https://techbeacon.com/security/sim-swapping-still-stupidly-simple-so-shun-sms
    I wonder, if I should care about SS7 too?! I want to use smartphone app as 2FA, instead of SMS. I don't use mobile internet. So I need WPA 3 phone first, but there are none at normal price currently... And I don't need 800eur phone so...
     
  10. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    the main thing is that two sim cards cannot work togheter , 1 will deactivate the other, so if sim doesn't work you should immediately do something, if they have sim cloned technology will help you little, they can do alot, for small amounths of money they can stay under the radar from some banks, they can take alot this way
     
  11. empleat

    empleat Registered Member

    Joined:
    Oct 19, 2020
    Posts:
    4
    Location:
    Czech Republic
    Yeah, people previously said, good operator should send warning 24 hours, before. Not sure if hacker could also circumvent this.

    But I was asking this time about ss7.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.