Attack/APT WORLD

The SIM Swap Fix That the US Isn’t Using

Around a year ago, André Tenreiro was called into a meeting between the chief technology officer of the phone carrier he worked for—one of the largest in Mozambique—and an executive of the country’s largest bank. The latter had seen an escalating pattern of fraud based on so-called SIM swap attacks, where hackers trick or bribe a phone company employee into switching the SIM card associated with a victim’s phone number. The attackers then use that hijacked number to take over banking or other online accounts. According to Tenreiro, the bank had seen more than 17 SIM swap frauds every month. The problem was only getting worse.

“The gentleman from the bank, I could see by his face he was desperate. He wanted to do something but he didn’t know what to do,” says Tenreiro, who asked WIRED not to identify the phone carrier he worked for. “He was asking for our help. As mobile operators, we also had a responsibility to fight this fraud.”

SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim’s banking credentials, or by using the phone number as a password reset fallback. So the phone company, Tenreiro says, offered a straightforward fix: The carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled, that window of time let them report the crime before fraudsters could take advantage.

By August of 2018, Mozambique’s largest bank was performing SIM swap checks with all the major carriers. “It reduced their SIM swap fraud to nearly zero overnight,” says Tenreiro, who serves on Mozambique’s Computer Emergency Readiness Team, and spoke about the SIM swap fraud fix at Kaspersky’s Security Analyst Summit earlier this month.

Mozambique isn’t alone in implementing that fix for the growing epidemic of SIM swap fraud, which is increasingly used for everything from hijacking Instagram accounts to stealing cryptocurrency. According to WIRED’s interviews with security firms and executives in the banking and telecom industries, companies in other countries across Africa, including Nigeria, South Africa, and Kenya—where the prevalence of mobile payments have made SIM swaps a particularly serious threat—have put similar carrier-checking remedies in place. So have the UK and Australia. But there’s one country where experts say the fix hasn’t taken hold: the US.

“This is something where Africa is ahead of us,” says Alison Nixon, director of security research at security firm Flashpoint. “It’s something people have been asking for in the US, but no one has really moved forward to do it.”

Swap Meet

Some security firms and banking executives point to US carriers as the main hurdle. They simply don’t make real-time SIM swap data available for the kind of security checks other countries’ banks have implemented. In fact, security company Telesign has sought to offer SIM swap fraud-checking to US banks, but has found that most US phone companies aren’t yet willing to work with them.

“Long story short, the data isn’t available from most US carriers,” says Stacey Stubblefield, Telesign’s co-founder. She says only one US phone carrier has so far offered real-time SIM swap data, but declined to say which.

Stubblefield admits it’s hard to know what deals banks or other potential SIM swap attack targets might have cut with carriers privately. Those stakeholders have been tightlipped about their solutions, in part to avoid providing any clues that might help fraudsters circumvent their security measures. But Stubblefield is nonetheless confident that carriers aren’t providing enough data to allow real-time SIM swap checks in the US. But Stubblefield says Telesign is in talks with two banks who are seeking that data—a sure sign that they don’t have it already.

Seven major US banks do collectively own a security firm called Early Warning, which like Telesign works to provide banks with data that can help them prevent fraud. Early Warning’s “authentication evangelist” Hal Granoff says that carriers in fact provide some of that data to Early Warning and its owners. But he declined to say exactly what kind, and conceded that he wished they would go further. “They’re sharing information,” Granoff said. “They could be sharing more.”

“Something like this has to happen.”

Alison Nixon, Flashpoint

When WIRED reached out to the four major US carriers, they all either declined to respond on the record or referred questions to CITA, the telecom industry association. CTIA vice president for technology and cybersecurity John Marinho argued that while US carriers may not offer real-time SIM swap checks, that’s in part because the US has other protections, like geolocation checks based on banks’ mobile applications installed on smartphones, and two-factor authentication. (The latter, of course, is exactly the security measure SIM swaps attempt to circumvent.)

“Security uses multiple layers and tools to mitigate the risks; you can’t focus on just one tool. There’s no silver bullet, you have to use all the tools that are available,” Marinho wrote in an email. “But the carriers, in collaboration with many large brands, do collaborate very closely to make sure they’re staying ahead of the bad guys to protect consumers from fraud.”

Marinho added that US carriers are prevented from sharing real-time SIM swap data in part by the difficulties of scale. US banks, he says, deal with too many users performing too many transactions to check them all against carrier data. Privacy represents a concern, too. Carriers are reticent to give any third party real-time data about users without their express opt-in consent. “Do the carriers look at account churn? Yes,” Marinho writes. “But can they share that information cavalierly? No. Carriers treat privacy and security as top priorities and act in compliance with any applicable laws regarding consumer permission.”

One banking industry executive who spoke to WIRED and asked not to be named, however, described the situation differently. He dismissed the privacy explanation and pointed instead to a financial one: Not enough US banks are currently demanding real-time SIM swap data to create an incentive for carriers to sell access to it. “There’s no business model for a carrier to develop a system to support this,” he says. “People aren’t willing to pay what it takes to make that system come into being. If someone’s willing to pay them money for it, phone carriers are willing to sell your data to anyone.”

To his point, look no further than the carriers’ current scandal over selling consumers’ location data to bounty hunters. Historically, carriers have not shown much concern over opt-in consent.

Tenreiro, who helped address Mozambique’s SIM swap fraud problem, adds that it’s possible to implement the fix without privacy compromises. His carrier simply set up an API that responded to banks’ queries about SIM swap data while providing no other information. “All the operators do is reply with a binary response ‘Yes/No’ whether the subscriber has conducted a SIM swap within the last X days,” he says. “We believe the privacy exposure is minimal.”

Forced Fix

There are, of course, other ways to stop SIM swap fraud: As a rule, tech firms, cryptocurrency companies and banks shouldn’t depend on the security of phone numbers. That means avoiding any password reset fallback based on them, and using two-factor authentication via apps or hardware tokens rather than text messages, as security professionals have advised for years.

But real-time checks between SIM swap targeted companies and carriers should be part of the solution too, says Flashpoint’s Nixon. And if the carriers aren’t motivated to make that possible, she says, regulators may have intervene. “I don’t know if this problem can be fixed by the private sector. It might be something the government has to step in and fix,” she says. “I don’t knows if telcos are really planning on offering this, or waiting for the government, but something like this has to happen.”