SIM swapping is a scam in which malicious parties target cell phone carriers to gain access to victims’ bank accounts, virtual currency accounts and additional sensitive information by using social engineering, insider threat or phishing techniques. Social engineering involves a criminal to impersonate the victim’s mobile number by tricking the cell phone carrier into switching the victim’s mobile number to a SIM card that is in the criminal’s possession, allowing the malicious party to access the victim’s calls, texts and other data, but this is only one of the three methods used to steal funds from victims.
Insider threat takes place when a criminal actor pays off a mobile carrier employee to switch the victim’s SIM to a card currently in the criminal’s possession. Malicious parties can also employ phishing techniques to access victims’ sensitive data, and steal funds from the victim through their banking data or third-party services like PayPal or Venmo. This level of access to a victim’s cell data then allows a malicious party entry to everything from text message verification to SMS based two-factor authentication to exploit victims’ sensitive information.
“Service providers must move from more simplistic means of validating identity to more sophisticated ones,” Clements said. “PIN codes unique to each user’s account can be one way of adding additional security to the process, and ‘out of wallet’ questions are another alternative that works by verifying much harder to compromise information such as last three home addresses or cars. It may be more of a hassle for everyone, but it’s simply no longer viable to rely on information that has been routinely compromised to validate a person’s identity.”
The FBI encourages both cell phone users and the companies that provide service to take additional security measures in protecting their personal information. For cell phone users, the agency outlines the following tips:
Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
Do not provide your mobile number account information over the phone to representatives that request your account password or pin. Verify the call by dialing the customer service line of your mobile carrier.
Avoid posting personal information online, such as mobile phone number, address or other personal identifying information.
Use a variation of unique passwords to access online accounts.
Be aware of any changes in SMS-based connectivity.
Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
Do not store passwords, usernames or other information for easy login on mobile device applications.
No comments:
Post a Comment