Busting SIM Swappers and SIM Swap Myths — Krebs on Security
KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. Snippets from that fascinating conversation are recounted below, and punctuated by accounts from a recent victim who lost more than $100,000 after his mobile phone number was hijacked.
In response to today’s Krebs on Security story, Will LaSala, Director Security Solutions, Security Evangelist, OneSpan, commented:
“Sim swap fraud is extremely dangerous. Users should be wary by now about using SMS as their primary form of two-factor authentication. There are many well publicized problems with SMS as a two-factor solution. From a financial institution standpoint, many have already started to make the switch to Mobile PUSH notifications, which are inherently more secure than SMS. Mobile PUSH notifications have the added benefit of being able to be protected with application shielding technology and give banks a stronger interface for doing business with their customers. Consumers should check to see if their bank already offers a mobile app and then enable PUSH two-factor authentication as soon as possible while disabling SMS two-factor authentication. SMS is a good method for notifying users of account notifications, such as account modifications and transactions, but it should not be used to allow privileged access.
“Many financial institutions are balancing the security of a solution versus the acceptance of the solution across their user base. Ease of use versus security is a classic two-factor hurdle. In today’s security landscape, banks should be looking at implementing security solutions that offer the correct level of security at the precise time. Banks can use data from many different sources throughout their interaction with their customers to allow for a better view of what the bank’s perceived risk level is. Once they have identified the risk level, they can make accurate decisions as to how to mitigate that risk. For example, does it require a PUSH notification, can a transaction simply just be processed without additional user interaction, maybe it requires an easy to use biometric like fingerprint, or maybe a more secure biometric like face or voice. All of these technologies should be on the table for a bank to use at any point within the journey of their digital users.”