It’s like “Invasion of the Body Snatchers” — for smartphones.
At wireless carriers such as AT&T Inc. (T:US) and South Africa’s Vodacom Group Ltd. (VOD), a new hacking threat has emerged involving the illicit swapping of SIM cards, the plastic chips that authenticate customers on mobile networks. Criminals call users and impersonate the companies to glean personal information, which they use to hijack the chips and customer accounts, paving the way for online banking fraud and international calling theft.
The scam represents a growing threat to the global telecommunications industry, which is projected to lose $46.3 billion to fraud in 2013, or about 2 percent of total revenue, according to the Communications Fraud Control Association. Account takeovers such as SIM-card switches are one of the most common types of fraud, and may rack up $3.6 billion in losses this year, almost triple the amount in 2011, the CFCA estimates.
“Attackers are definitely getting more advanced,” said Lawrence Pingree, a mobile-security researcher at Gartner Inc. “It’s almost like stealing at a bank — going right in and doing it in person. It’s very personal.”
Like fraud attempts known as phishing, the SIM card attacks start with a phone call or e-mail designed to elicit personal data from the wireless customer. The attackers do their homework in advance, researching victims’ names and addresses and creating convincing stories. Once they have extracted sensitive details, such as Social Security numbers, they call the wireless providers and request to have the victims’ SIM cards switched to new devices. The victims’ phones go dead and the hackers’ devices light up.
Scams against wireless carriers often involve stealing service for international calling, without the difficulty of establishing new accounts in victims’ names. Having access to SIM cards also lets criminals intercept security codes sent via text message for online banking and other services, making more sophisticated identity theft possible.
SIM card fraud is in its infancy and will become more prevalent as access to wireless networks expand worldwide and people use smartphones more as their primary computing devices, said Marc Rogers, principal security researcher at Lookout Inc.
“It will evolve into something bigger,” Rogers said. “At the moment you have some guys getting a low to medium yield with some tricks, and it will dawn on them they could do more.”
The challenge for wireless carriers is distinguishing between a legitimate SIM-card swap and a fraudulent one. Customers switch SIM cards all the time when they upgrade phones, and with the right information, a scammer can complete the process over the phone in minutes.
Keith Carter is a typical victim. The scammers who targeted the 35-year-old Atlanta resident racked up more than $2,600 in charges for calls to Cuba, Guinea and Gambia after Carter accepted a call Aug. 12 purporting to be from an AT&T representative. The caller promised him a discount on his next bill if he would answer some customer-satisfaction surveys.
The survey sounded legitimate and the caller had personal information, such as Carter’s address, so the telecommunications company manager said he didn’t think twice when the caller asked for the last four digits of his Social Security number — the piece of information needed to access his account and switch his SIM card.
The next day, he noticed his iPhone had no service. He got a new SIM card for the phone the following day, yet the international calling continued, according to an interview with Carter and a copy of his bill. Carter plans to dispute the charges, and he said he’s looking for a new wireless provider.
“I thought when I got the new SIM card that the old one would be disassociated with it — but clearly this bad boy is still rocking and rolling,” he said. “It’s hard to abandon ship but it’s gotten to the point I have to leave. And if I can take as many people as I can with me, I will.”
AT&T said the scam affecting its network is being driven by groups selling the stolen cellular services online.
“We’re working to educate our customers on how to protect their information from social engineering,” AT&T said in an e-mailed statement. The company declined to comment about new security measures being considered to protect against SIM-card swap attacks, and declined to comment on individual cases.