Understanding the SIM-Swapping Threat

Between the growth and accessibility of the internet, the proliferation of smart devices, and the increased portability and power of those devices, connecting people anywhere on the globe is easier than ever. But new technologies also represent new opportunities for bad actors: from the Nigerian prince email, to phishing, identify theft, hacking and beyond, scammers are always on the lookout for new ways to fleece targets. And with a technique called SIM-swapping, they are having some of their greatest successes to date.

What is SIM-Swapping?

SIM-swapping attacks have gathered steam in recent years. According to the US Federal Trade Commission (FTC), the scam goes something like this: a scammer reaches out to your service provider to “say your phone was lost or damaged.” Next, they take control of your phone number by “ask[ing] the provider to activate a new SIM card connected to your phone number on a new phone – a phone they own.” Assuming your provider believes the scammer, the new SIM card in the scammer’s phone begins to “get all your text messages, calls, and data on the new phone” – and provides access to sensitive information.

While two-factor authentication and other security measures have gained popularity for their ease and efficacy, SIM-swapping bypasses everything. Because the scammer has already gained access to your device, “the threat actor can thwart SMS-based [two-factor authentication] checks that were supposed to protect” a user’s sensitive information, like a bank account. After “resetting any of the passwords of the compromised accounts, the full takeover is complete,” allowing the scammer access to money, private information, social media accounts, and more.

SIM-Swapping in Action

Attacks have grown more profitable and scammers more brazen over time. A recent bust – part of a year-long collaborative effort between UK, US, Belgian, Maletese, and Canadian authorities – brought down a SIM-swapping ring in the UK “that reaped more than $100 million by taking over the mobile phone accounts of high-profile individuals.” The eight arrests in early February “follow[ed] earlier ones in Malta (1) and Belgium (1),” said Europol.

The victims, who included “well-known influencers, sports stars, musicians, and their families,” had “money, bitcoin, and personal information” stolen in the attacks. National Crime Agency (NCA) National Cyber Crime Unit head of operations Paul Creffield noted the arrested parties (who remain anonymous but were between 18 and 26 years old) “face prosecution for offenses under the Computer Misuse Act, as well as fraud and money laundering as well as extradition to the USA for prosecution.”

Legal Ramifications

As SIM-swapping gains popularity, law enforcement agencies around the world may find collaboration more vital than ever. The attacks have “emerged as a major criminal enterprise over the past few years, fueled in large part by the rise of cryptocurrency accounts that can hold millions of dollars in digital coin,” reports Ars Technica. Other high-profile attacks include a Massachusetts man who “[pled] guilty to a SIM-swap attack that netted $5 million in cryptocurrency” in early 2019; European law enforcement have also had their hands full “arrest[ing] a dozen people” across Spain for attacks that stole $3.35 million, as well as another 14 people in Romania and Austria in early 2020.

SIM-swapping is not going away. A report indicates that cases rose from a total of 144 in all of 2015 to 483 instances through June 2020 alone, leading mobile providers to come under scrutiny for their role in the scams – and being asked to do more to mitigate the threat.

Barring increased security measures from providers, one thing is certain: the cross-border nature of the attacks requires a cross-border response from law enforcement. Michael D’Ambrosio, the Assistant Director of the US Secret Service Office of Investigations, declared the “multi-jurisdictional” February arrests to be an illustration of “the importance of building strong partnerships.” The working relationships of law enforcement agencies reflect the nature of crime in an ever more-connected world – interactive, transnational, and, in many ways, more accessible than ever before.

This article is authored by

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.