Card fraudsters constantly develop new ways to steal customers' information and money. SIM swapping is the latest high-tech attempt to accomplish this goal. The FBI's Internet Crime Complaint Center (IC3) reports that it received 2,026 SIM swapping complaints in 2022 with adjusted losses of more than $72 million—up from just 320 complaints of $12 million in losses between January 2018 and December 2020. (Source) In today’s article, we will define SIM swapping, how information is stolen, and best practices to protect your financial institutions and members.

SIM Swapping:

Nearly every cell phone in circulation contains a SIM card, a chip that stores information and is used to identify the device on a cell network. This card is required to assign a service like Verizon or T-Mobile to a specific phone. Newer phones have replaced physical SIM cards with digital versions built directly into the phone. A SIM swap is when a fraudster takes YOUR SIM card and places it on THEIR device, giving the fraudster access to your cell service.

SIM Swapping is performed in two ways:

• The fraudster gathers enough demographic data on the victim to call the wireless carrier and change the service to their device.
• The fraudster finds someone with access to this system at the wireless carrier and pays them to make the change. These inside actors offering this service are called "innys."

SIM Cloning:

This technique is different, but the objective and aftermath remain the same. This method occurs when a fraudster has successfully cloned a physical SIM card. This was a popular fraud attack a few years ago before cell carriers began converting to digital versions. While SIM cloning has yet to be rendered obsolete, SIM swapping is the preferred method for card fraudsters.

Stolen SIMs Allow for Card Theft – Here’s How:             

Once the fraudster has SIM Swapped a victim, they can change passwords for any account that uses SMS passcodes as verification. As a first step, they typically try to gain access to the victim's email account. Gaining email access means the fraudster can uncover where the victim banks, what stores they have e-commerce accounts with, and any other valuable information stored within the victim's email archives.

The next step for the fraudster is to manipulate and infiltrate those accounts. Since the fraudster now has access to the victim's cell phone and email, they can easily change account passwords to gain access. Once in, they can perform various types of fraud, including ordering products with the card on file at online merchants or transferring money from the victim's bank to another account via P2P services. Worst of all, if the FI being breached uses SMS one-time passcodes, the fraudster could easily raise limits on the cards they have stolen or, answer calls about fraud alerts and approve the pending transactions.

What Happens Next:

By the time this deception is uncovered, significant amounts of fraudulent charges have taken place. The fraudster can now receive SMS messages meant for the cardholder. As a result, any service that uses SMS one-time passcodes, which is a lot of them, can now be taken over with ease. Depending on the service, this can include email accounts, banking credentials, merchant logins, and much more.
‍

“We’ve known that SIM Swapping was possible for quite a while, but had limited reports of this technique impacting clients. That has now changed. We’re receiving reports of confirmed SIM Swapping from clients and we’ve seen an increased number of arrests. The bottom line is one-time passcodes cannot be the only line of defense anymore. The fraudsters have evolved and we have to as well.” Fraud Detection Specialist, Greg Lenihan.

How to Protect Your Cardholders From SIM Swapping?

While SIM Swapping is quickly becoming a popular fraud technique, it is still somewhat unknown to most cardholders. As the institution tasked with protecting their money, it is vital that you educate them on the steps to take to prevent this attack. Encourage your cardholders to contact their mobile carrier and add a PIN required to make changes to their account.

Internally, your own FI can take steps to protect your members by analyzing the security around your one-time passcodes. Examine how secure the process is and what additional steps can be taken to bolster it. The main lesson learned is that SMS one-time passcodes are no longer as secure as they used to be. The time has come to examine additional ways to protect your member's most important information and requests.

Conclusion

As scary as it sounds, the possibility of someone else gaining control over another person's phone is real. Companies reliance on one-time passcodes to keep their customers safe have left them wide open to a new type of fraud. The next steps for any financial institution is to educate their members on how to best protect their personal information and to look inward to find new ways of bolstering their protection before it is too late.

About Rippleshot and Rules Assist

Since 2013, Rippleshot has been leveraging the power of artificial intelligene and automation to protect your customers from card fraud.

Rules Assist is the perfect blend of these tools. Together, they help your institution avoid falling behind the competition by providing the automation, machine learning, and data you need to implement effective rule writing strategies.

To learn more about how we can reduce cost, increase efficiency, and keep your fraud strategies up to date, please click the button below

‍