It’s like “Invasion of the Body Snatchers” -- for smartphones.
At wireless carriers such as AT&T Inc. (T) and South Africa’s Vodacom Group Ltd. (VOD), a new hacking threat has emerged involving the illicit swapping of SIM cards, the plastic chips that authenticate customers on mobile networks. Criminals call users and impersonate the companies to glean personal information, which they use to hijack the chips and customer accounts, paving the way for online banking fraud and international calling theft.
The scam represents a growing threat to the global telecommunications industry, which is projected to lose $46.3 billion to fraud in 2013, or about 2 percent of total revenue, according to the Communications Fraud Control Association. Account takeovers such as SIM-card switches are one of the most common types of fraud, and may rack up $3.6 billion in losses this year, almost triple the amount in 2011, the CFCA estimates.
“Attackers are definitely getting more advanced,” said Lawrence Pingree, a mobile-security researcher at Gartner Inc. “It’s almost like stealing at a bank -- going right in and doing it in person. It’s very personal.”
Like fraud attempts known as phishing, the SIM card attacks start with a phone call or e-mail designed to elicit personal data from the wireless customer. The attackers do their homework in advance, researching victims’ names and addresses and creating convincing stories. Once they have extracted sensitive details, such as Social Security numbers, they call the wireless providers and request to have the victims’ SIM cards switched to new devices. The victims’ phones go dead and the hackers’ devices light up.
Scams against wireless carriers often involve stealing service for international calling, without the difficulty of establishing new accounts in victims’ names. Having access to SIM cards also lets criminals intercept security codes sent via text message for online banking and other services, making more sophisticated identity theft possible.
SIM card fraud is in its infancy and will become more prevalent as access to wireless networks expand worldwide and people use smartphones more as their primary computing devices, said Marc Rogers, principal security researcher at Lookout Inc.
“It will evolve into something bigger,” Rogers said. “At the moment you have some guys getting a low to medium yield with some tricks, and it will dawn on them they could do more.”
The challenge for wireless carriers is distinguishing between a legitimate SIM-card swap and a fraudulent one. Customers switch SIM cards all the time when they upgrade phones, and with the right information, a scammer can complete the process over the phone in minutes.
Keith Carter is a typical victim. The scammers who targeted the 35-year-old Atlanta resident racked up more than $2,600 in charges for calls to Cuba, Guinea and Gambia after Carter accepted a call Aug. 12 purporting to be from an AT&T representative. The caller promised him a discount on his next bill if he would answer some customer-satisfaction surveys.
The survey sounded legitimate and the caller had personal information, such as Carter’s address, so the telecommunications company manager said he didn’t think twice when the caller asked for the last four digits of his Social Security number -- the piece of information needed to access his account and switch his SIM card.
The next day, he noticed his iPhone had no service. He got a new SIM card for the phone the following day, yet the international calling continued, according to an interview with Carter and a copy of his bill. Carter plans to dispute the charges, and he said he’s looking for a new wireless provider.
“I thought when I got the new SIM card that the old one would be disassociated with it -- but clearly this bad boy is still rocking and rolling,” he said. “It’s hard to abandon ship but it’s gotten to the point I have to leave. And if I can take as many people as I can with me, I will.”
AT&T said the scam affecting its network is being driven by groups selling the stolen cellular services online.
“We’re working to educate our customers on how to protect their information from social engineering,” AT&T said in an e-mailed statement. The company declined to comment about new security measures being considered to protect against SIM-card swap attacks, and declined to comment on individual cases.
In South Africa, SIM-card swaps are one of the final steps in attacks targeting the banking information of Vodacom customers, said Richard Boorman, a company spokesman. Vodacom sends text messages to all customers requiring confirmation of a SIM card swap, and these attacks are “extremely rare” in comparison to other types of fraud affecting the carrier, he said.
In the U.S., Verizon Wireless spokesman Tom Pica declined to comment on SIM card fraud, saying there are many kinds of fraud that companies and customers need to protect themselves from. Stephanie Vinge, a Sprint Corp. (S) spokeswoman, and T-Mobile US Inc. (TMUS)’s Anne Marshall said their companies hadn’t seen this kind of attack.
The U.S. Federal Communications Commission hasn’t released specific consumer guidance about SIM-card fraud, said Mike Snyder, an agency spokesman.
Mari and Candace Sawyer, sisters who are dessert caterers in Atlanta, say Dallas-based AT&T isn’t doing enough to safeguard its customers.
Shortly after noon on Sept. 3, a man called their mother’s phone and asked for Mari Sawyer, who holds the family’s account. He had personal information about her and the call appeared to come from AT&T’s customer-service line. Because it seemed legitimate, Mari Sawyer supplied the last four digits of her Social Security number.
The caller wasn’t from AT&T and the number had been spoofed, a process where the caller routes the call through a service that makes it appear to come from somewhere else, the Sawyers said. By 10 p.m., all four phones on their family plan were dead. Hundreds of calls to different numbers in Gambia quickly appeared on their account, they said.
The sisters -- who three years ago uncovered an Internet-routing flaw in AT&T’s wireless network that was causing Facebook Inc. (FB) users on mobile phones to be directed to the wrong password-protected accounts -- began to investigate online, and discovered that they were probably the victims of a scam, and that they weren’t alone.
With the latest incident, the sisters contacted AT&T, which on Sept. 23 issued a public statement about the threat. The Sawyers say they have filed a complaint against AT&T with the FCC for failing to alert them about SIM card swaps.
Emily Edmonds, an AT&T spokeswoman, declined to comment on the sisters’ FCC complaint. She directed questions to the FCC, which didn’t return a message amid the federal government shutdown.
“It’s not right to drive by an accident where someone’s hurt, and it’s not right if your SIM card gets hacked and you don’t do something to prevent it from happening to someone else,” Mari Sawyer said in an interview.
While Mari Sawyer said she erred in giving personal information to the caller, she said AT&T should have informed her about the SIM-card change before allowing it to proceed.
“Corporate responsibility is important and it’s something that we as consumers should be able to expect,” she said. “We should expect that they want to make money but we should also expect that they’ll do it the right way.”
To contact the editor responsible for this story: Pui-Wing Tam at firstname.lastname@example.org