SIM Swapping Attacks for Digital Identity Theft: A Threat to Financial Services and Beyond
By: Roger A. Hallman
1 Introduction
The ever increasing use of mobile phones in society, particularly the prevalence of applications (apps) to facilitate financial transactions, presents an enticing attack surface for criminals. Many of these vulnerabilities (e.g., malware) are well-studied in refereed and popular literature; however, other vulnerabilities have received relatively scant attention from professional cybersecurity researchers. SIM Swap attacks, where a malicious actor illegally copies a victim’s Subscriber Identification Module (SIM) chip, are surging in popularity with cyber criminals [8]. Though these attacks are responsible for many millions of U.S. Dollars-worth of theft and are being reported on in news media, there is a paucity of refereed literature.
Mobile computing continues to become more ubiquitous, often serving as a significant component to identity confirmation as we interact with and utilize various service providers. In addition to the risks that SIM Swap attacks present for financial theft, the role that mobile technology plays in our digital identity makes them an attack vector in other areas. For instance, personal mobile computing devices will be increasingly used in enterprise networks as companies experiment with and adopt so-called “bring your own device” (BYOD) policies [7]. One can easily imagine a state-level actor attempting to target personnel from an adversarial state and attempting to use a SIM Swap attack to gain access to sensitive networks. In fact, the significant role that our mobile devices play in our digital identity (and therefore our identity in broader society) justify classifying SIM Swaps as an advanced persistent threat (APT) that deserves more attention from professional security researchers.
The purpose of this paper is primarily to provide a reasonably thorough introduction to SIM Swap attacks, with a focus on their role in financial and cryptocurrency theft. Additionally, it looks at the risk that these attacks may present to the emerging BYOD paradigm. Finally, it examines the current mitigation practices to guard against SIM Swap attacks. As such, the remainder of this paper is as follows: SIM Swap attacks are explained in Section 2, with case studies that are specific to financial and cryptocurrency theft presented in Sections 2.1 and 2.2, respectively. Current practices in combating SIM Swaps are presented in Section 3, and concluding remarks are given in Section 4.
2 Understanding SIM Swap Attacks
The Subscriber Identity Module [10], or SIM, card is historically a small, physical component of every mobile device that provides a unique identity on mobile devices. While initially limited to solely identifying devices on a mobile network, SIM cards are now an essential component of our digital identities due to the centrality of mobile computing devices in much of everyday life. The digital identity, which a SIM card connects to a real-world identity, may be used for authentication and access to financial applications, as well as access to email and other information and communication technology (ICT) services.
SIM Swap attacks [16] occur when a criminal actor copies or replaces the SIM card from a victim’s mobile device. This may require the criminal gaining physical custody of the phone for a time, or involve dishonest mobile service employees. However, attackers may gain sufficient information to perform a SIM Swap on a potential victim by classic social engineering tactics.
SIM Swaps have evolved over time and can be sorted into the following classifications:
• The Classic SIM Swap Attack occurs when an adversary gains physical access to a phone, and is able to physically remove and replace the phone’s SIM card;
• Insider SIM Swap Attacks are orchestrated with the assistance of complicit employees within the victim’s mobile service provider;
• and Socially Engineered SIM Swap Attacks wherein an adversary uses social engineering tactics to manipulate customer service representatives into swapping the victim’s SIM card.
2.1 SIM Swap Attacks in Financial Crime
Traditional financial institutions such as banks and credit card companies took advantage of the advances in mobile computing capabilities to introduce apps that provide user interfaces to access various services. Banks apps may allow users to access accounts to monitor their balances, initiate bill payment services, or even transfer funds; credit card company apps commonly allow users to monitor their accounts and initiate payments from connected bank accounts. Many financial apps rely on information held within the SIM card for streamlined authentication, which may be by sending a one-time passcode connected to the phone number (i.e., SMS two-factor authentication - 2FA), or even keeping the financial app logged into the institution’s system.
SIM Swap attacks are an increasing vector for financial crimes, leading to many millions of customer losses, along with institutional resources expended on insurance and investigations. Classical SIM Swaps require that criminals gain physical access to a victim’s phone, and this is usually a trivial matter for pickpockets, especially in crowded environments or where people have been consuming alcohol (as alcohol generally dulls the victim’s senses). However, there is enough personally identifiable information easily available on the Internet to make Socially Engineered SIM Swaps are becoming an increasing risk. Money stolen from traditional financial institutions will usually be transferred into a money laundering network to protect the criminal from prosecution.
One recent report in New Orleans [13] detailed how the victim’s phone was stolen during a ride share after a night of partying. The victim’s party ordered transportation through a ride shareapp , and accepted a ride in a car with another passenger in the back seat (in spite of being admittedly uncomfortable with the situation). The criminal was able to abscond with the victim’s phone, and steal $7,000.00 from the victim’s bank account. Another report [12] is typical of Socially Engineered SIM Swaps. A victim in Colorado received an email from his bank alerting him to a transfer of $24,500.00. The criminal(s) acquired enough information about the victim to impersonate him to a phone company employee and get a new, cloned SIM card. This enabled them to reset bank account passwords, and transfer funds into a money laundering network.
Investigating and prosecuting the criminals who perpetrate SIM Swaps in financial crime is difficult due to the use of money laundering networks. Nonetheless, there have been notable prosecutions against SIM Swappers. Insider SIM Swap attackers are often the easiest to disrupt and prosecute. For instance, the U.S. Attorney for the Eastern District of Louisiana announced the guilt and sentencing of a former phone company employee who had taken bribes to clone at least 19 SIM cards for criminal associates [22]. In February 2023 [23], the U.S. Attorney for the Southern District of New York announced the disruption and prosecution of a gang that was responsible for at least $1,000,000 stolen from victim bank accounts.
2.2 Threat to Cryptocurrency Holders
Cryptocurrencies have grown wildly in popularity since Bitcoin was released in 2008, and have created a dynamic economic system that can serve as an alternative to traditional financial institutions. While some institutions within the traditional finance space (e.g., banks, hedge funds) are examining how to incorporate cryptocurrencies into their service portfolio, cryptocurrency holders largely serve as their own bankers. Cryptocurrencies are “held” in cryptocurrency wallets [15] which are mechanisms that hold private and public keys. Cryptocurrency wallets create and broadcast valid transactions, and maintain account balances and transaction histories. Cryptocurrency wallets may be “cold” (e.g., paper wallets or hardware wallets that are not directly connected to the Internet), or “hot” software-based wallets (e.g., a smart phone app). Cryptocurrency exchanges, which provide an “on/off-ramp” for users to navigate between fiat currencies and the cryptocurrency ecosystem; many users interact with their exchange accounts through smart phone apps, and treat them as de facto wallets.
SIM Swaps play a significant role in cryptocurrency crime, becoming an attack vector in cryptocurrency theft and fraud around the world [16, 19]. Many cryptocurrency exchanges utilize SMS 2FA, or other MFA authentication means which relies on the user’s SIM card [14, 3]; once the attacker has cloned or swapped the SIM card, they have easy access to any service that uses the SIM card for authentication. Additionally, SIM swaps can enable identity theft of high-profile individuals, which gives the attacker an opportunity to scam users through social media. Former United States President Barack Obama and then-former Vice President Joe Biden, among others, were the victims of SIM Swaps in 2020 that led to them temporarily losing control of their Twitter accounts [9]. Posing as the former President and Vice President, the scammer promised to send $2,000.00 worth of Bitcoin to any address that $1,000.00 worth of Bitcoin to the scammer’s wallet; victims lost more than $100,000.00. Ethereum Co-Founder Vitalik Buterin was the victim of a SIM Swap attack in September 2023 [25]. Scammers were able to deceive his mobile network provider, and then take over his Twitter account in order to lure victims with a NFT scam with a malicious URL (Figure 1). Victims lost more than $690,000.00. Beyond the fraud perpetrated on social media after Buterin lost control of his phone, 2023 has seen a series of subsequent and notable cases of SIM Swaps used for cryptocurrency theft.
An employee at the financial advisory firm Kroll, which serves as the claims agent for multiple bankrupt cryptocurrency firms, was the victim of an August 2023 Socially Engineered SIM Swap attack [21]. The attacker was then able to gain access to files that contained confidential information on bankruptcy claimants in the FTX case. The attacker used this information to send claimants a phishing email that was meant to convince them to link a cryptocurrency wallet and expose private keys, which would enable further cryptocurrency theft [18].
Figure 1: Ethereum Co-Founder Vatlik Buterin discloses that he was the victim of a SIM Swap attack on the Warpcast social network (September 12, 2023) [4].
A Co-Founder of Blockchain Capital [2], a blockchain and cryptocurrency focused venture capital firm, lost approximately $6,300,000.00 worth of Bitcoin, Ether, and other digital assets. The attacker utilized information available via darkweb markets to conduct a socially engineered SIM Swap, then transferred assets out of a hot wallet, and attempted to transfer approximately $14,000,000.00 of digital assets out of an associated cold wallet. In a particularly brazen move, the attacker sent the victim a message claiming to be able to SIM Swap any phone in the Mainland United States of America. Other notable victims of cryptocurrency theft by SIM Swap include executives at OpenAI, Bored Ape, and the Atpos Foundation, with losses totalling more than $13,000,000.00 [1].
Prosecutions of SIM Swap-based cryptocurrency crimes are relatively rare, due in part to the fact that many criminals are operating outside of the United States. Joseph O’Connor, the hacker who SIM Swapped the former President and Vice President in 2020, was extradited to the United States from Spain and sentenced to 5 years in prison. The United States Attorney’s Office for the Southern District of New York achieved a conviction and 18-month prison sentence against a member of a criminal gang that stole more than $20,000,000.00 worth of cryptocurrency and digital assets. The victim in the Blockchain Capital case above has filed a lawsuit against his as-yet unnamed attacker. Victims of SIM Swap-based cryptocurrency theft have ongoing litigation against the Coinbase cryptocurrency exchange, though analysts suggest that the plaintiffs have a difficult case to make[3]. Litigation against mobile network providers face similar challenges [20].
3 Mitigation Strategies and Countermeasures
Defending against SIM Swap attacks requires a multi-pronged approach, with responsibilities falling on individual users, mobile network operators, and service providers. Moreover, technologies and practices are evolving to mitigate the threat against current SIM Swap attack methodologies; however, this leads criminals to evolve their attack methodologies as well. For instance, innovations in smartphone hardware are making Classic SIM Swap attacks far less prevalent, thus criminals are increasingly using Socially Engineered SIM Swap attacks.
Individual users can best protect themselves from becoming the victim of a SIM Swap attack (as well as most other cybersecurity vulnerabilities) by practicing good cyber hygiene [17]. It is always prudent not to broadcast one’s wealth or position on social media, as this can assist criminals in their target selection. Smart phone-based apps provide users considerable convenience, but often at the cost of security. Individual users can reduce their attack surface by intentionally making a choice in favor of increased inconvenience. For example, users exercising greater physical security (e.g., keeping their phone in a secured, interior pocket) will limit opportunities for a Classic SIM Swap attack. Users should utilize hardware token MFA devices when they are supported, rather than SMS 2FA or MFA apps that are associated with their SIM card.
Mobile network operators (i.e., phone companies) are a vector for both Insider and Socially Engineered SIM Swap attacks. Several of the incidents covered in Sections 2.1 and 2.2 were enabled by explicit actions or oversights by phone company employees, and the U.S. Department of Homeland Security has encouraged phone companies to improve their defenses against SIM Swaps [5]. Insider SIM Swap attacks require a complicit phone company employee to authorize a new SIM card issuance. A relatively effective strategy to mitigate against this attack is to require greater employee oversight. For instance, requiring management to approve SIM card issuance or replacement will distribute liability, which should act as a disincentive to the corrupted employee.
Service providers such as cryptocurrency exchanges and financial institutions often utilize a user’s smartphone SIM card for authentication purposes; however, methods such as SMS 2FA and MFA are useless once a SIM Swap attack has occurred. Moreover, support for hardware token MFA devices is not as widespread as SIM-associated authentication methods; broadening support for hardware token MFA devices from service providers would significantly lessen the impact of SIM Swap-based cyber crime. Kim, et al. [16] document a cross-industry check system between service providers and mobile network operators. In this system, customer fund transfers placed from smartphone apps are flagged, and the bank then sends the phone company a query as to whether the associated SIM has been recently changed; if so, then the bank would perform further due diligence on the transaction.
Looking forward, phone companies and service providers are able to fund research and development of new technologies that can make Classic SIM Swap attacks more difficult. An example of this is the development of the embedded SIM (e-SIM), where the SIM card is not removable from the phone, and multi-SIM devices [24]. AI-based behavioral analysis [19, 11] has shown great success in fraud detection, so it stands to reason that this work can be matured for the purpose of detecting and preventing SIM Swap attacks. The details and fallout of the Kroll SIM Swap attack [21] should be particularly chilling for enterprises where employees can use their mobile devices to access critical enterprise systems, and further research and development is necessary to address this gap in identity and access management. Given the increased difficulty of Classic SIM Swaps and the documented impact of Socially Engineered SIM Swap attacks, it stands to reason that criminals will use every available tool, including improved deepfake technologies [6], to victimize their targets. The detection of deepfake social engineering attacks is imperative to combat what will certainly become a common cyber criminal tactic.
4 Conclusion
Mobile technology enables users to interact with a host of services, including financial services, from any location and without verifying their real world identities, relying instead on a digital identity. The SIM card in the user’s mobile device serves as a bridge between the user’s digital and real world identities; however, that bridge is an enticing target for cyber criminals. “SIM Swap” attacks are a term for any cyber attack where a criminal is able to take over a victim’s mobile phone number, which enables them to authenticate into any service with which that phone number was associated. SIM Swaps attacks are a recently emerging cyber crime tactic that have led to hundreds of millions of U.S. Dollars worth of financial losses across both traditional finance and cryptocurrency; moreover, these attacks have been successfully used to gain access into enterprise systems in order to extract sensitive information.
Despite the growing threat of SIM Swaps, there is a dearth of literature on the topic from academic or professional cybersecurity researchers. This paper introduced the reader to SIM Swap attacks, providing a nomenclature of attack methodologies. Several SIM Swap attacks were detailed to give the reader a clear idea of the impact that such an incident can have on a victimized individual or organization. Finally, mitigation strategies were discussed, along with potential research directions which may contribute to combatting this cyber crime tactic.
References
[1] Almada Lopez, D. “Bored ape ceo & openai cto among victims of sim swap scams.” Crypto Briefing News (August 24 2023). https://cryptobriefing.com/victims-of-sim-swap-scams-54-bored-ape-openai/.
[2] Baird, K. “Crypto ceo loses $6.3 million in daring sim-swap heist.” be(in)crypto News (August22 2023). https://beincrypto.com/crypto-ceo-loses-6-3-million-swap-heist/.
[3] Buntinx, J. “Sim swapping victim sues coinbase over sms 2fa hack but may fight a losing battle.” Cryptomode News (March 8 2023). https://cryptomode.com/sim-swapping-victim-sues-coinbase-over-sms-2fa-hack-but-may-fight-a-losing-battle/.
[4] Buterin, V. “Buterin sim swap announcement, September 12 2023.” https://warpcast.com/vitalik.eth/0x8ea2d0.
[5] Cyber Safety Review Board. “Review of the attacks associated with lapsus$ and related threat groups report,” July 24 2023. https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report.
[6] de Rancourt-Raymond, A., and Smaili, N. “The unethical use of deepfakes.” Journal of Financial Crime 30, 4 (2023), 1066–1077.
[7] Disterer, G., and Kleiner, C. “Byod bring your own device.” Procedia Technology 9 (2013), 43–53.
[8] FBI Internet Crime Complaint Center. “Criminals increasing sim swap schemes to steal millions of dollars from us public (public service announcement: Alert number i-020822-psa),”February 8 2022. https://www.ic3.gov/Media/Y2022/PSA220208.
[9] Frenkel, S., Popper, N., Conger, K., and Sanger, D. E. “A brazen online attack targets v.i.p. twitter users in a bitcoin scam.” The New York Times (July 15 2020). Updated on May 5, 2021.
[10] Gu, G., and Peng, G. “The survey of gsm wireless communication system.” In 2010 international conference on computer and information application (2010), IEEE, pp. 121–124.
[11] Hu, X., Chen, H., Liu, S., Jiang, H., Chu, G., and Li, R. “Btg: A bridge to graph machine learning in telecommunications fraud detection.” Future Generation Computer Systems 137 (2022), 274–287.
[12] Jajola, J. “Hacker steals man’s $24,500 in savings using ’sim swapper’ attack.” 9 News Denver (March 2 2023). https://www.9news.com/article/news/crime/hacker-sim-card-swap-scam/73-c7f0d7a1-5c90-46f6-b316-7eb2814fe485.
[13] Jones, D. “Hackers steal thousands of dollars through victims’ cell phones using sim swap fraud.” Fox 8 New Orleans (March 17 2023). https://www.fox8live.com/2023/03/18/hackers-steal-thousands-dollars-through-victims-cell-phones-using-sim-swap-
[14] Kan, M. “95% of coinbase users rely on sms-based 2fa, account takeover stats reveal.” PC Magazine (January 20 2023). https://www.pcmag.com/news/95-of-coinbase-users-rely-on-sms-based-2fa-account-takeover-stats-reveal.
[15] Karantias, K. “Sok: A taxonomy of cryptocurrency wallets.” Cryptology ePrint Archive (2020).
[16] Kim, M., Suh, J., and Kwon, H. “A study of the emerging trends in sim swapping crime and effective countermeasures.” In 2022 IEEE/ACIS 7th International Conference on Big Data, Cloud Computing, and Data Science (BCD) (2022), IEEE, pp. 240–245.
[17] Maennel, K., M ̈ases, S., and Maennel, O. “Cyber hygiene: The big picture.” In Secure IT Systems: 23rd Nordic Conference, NordSec 2018, Oslo, Norway, November 28-30, 2018, Proceedings 23 (2018), Springer, pp. 291–305.
[18] Malwa, S. “Ftx customers hit by ’withdrawal’ phishing mails after sim swap attack.” Coin Desk (August 29 2023). https://www.coindesk.com/business/2023/08/29/ftx-customers-hit-by-withdrawal-phishing-mails-after-sim-swap-at
[19] Nicholls, J., Kuppa, A., and Le-Khac, N.-A. “Financial cybercrime: A comprehensive survey of deep learning approaches to tackle the evolving financial crime landscape.” Ieee Access 9 (2021), 163965–163986.
[20] Sinclair, S. “At&t off the hook in $24m crypto sim swap case.” Blockworks (April 4 2023). https://blockworks.co/news/att-crypto-sim-swap-lawsuit.
[21] The Hacker News. “Kroll suffers data breach: Employee falls victim to sim swapping attack.” The Hacker News (August 26 2023). https://thehackernews.com/2023/08/kroll-suffers-data-breach-employee.html.
[22] U.S. Attorney’s Office, Eastern District of Louisiana. “Former phone company employee sentenced to three months probation for role in sim swap scam conspiracy that targeted at least 19 customers, including new orleans resident,” October 20 2021. https://www.justice.gov/usao-edla/pr/former-phone-company-employee-sentenced-three-months-probation-role-sim
[23] U.S. Attorney’s Office, Southern District of New York. “Seven defendants charged with million-dollar identity theft and fraud scheme,” February 16 2023. https://www.justice.gov/usao-sdny/pr/seven-defendants-charged-million-dollar-identity-theft-and-fraud-scheme.
[24] Vikhrova, O., Pizzi, S., Terzani, A., Araujo, L., Orsino, A., and Araniti, G. “Multi-sim support in 5g evolution: Challenges and opportunities.” IEEE Communications Standards Magazine 6, 2 (2022), 64–70.
[25] Young, M. “Vitalik buterin reveals x account hack was caused by sim-swap attack.” CoinTelegraph (September 12 2023). https://cointelegraph.com/news/vitalik-buterin-reveals-x-account-hack-was-caused-by-sim-swap-attack