Did You Know 2022

Socially Engineered Security Risks Series

Did You Know A Threat Actor Can Port Your Phone Number To Their Device?

Authored by David Carroll 

What is SIM swapping?

A SIM swapping attack occurs when a threat actor convinces a target’s mobile phone carrier to port the target’s mobile phone number to a device the threat actor owns.

Once this occurs, they can receive phone calls and text messages intended for the target. The threat actor will then use this to gain further access to any protected accounts using the target’s mobile phone number. This can include anything from an email account to other online accounts such as social media to banking and even cryptocurrency.

For a simple demonstration of this type of attack, watch the video below of some security experts demonstrating some methods threat actors use to gain access to mobile phone accounts. 

What is Porting?

Porting is a term used to describe the transfer of an existing phone number from one telco provider to another. The process allows you to switch providers while keeping all your same phone numbers. 

You can port mobile numbers, business landlines, inbound services like faxes, and internet connections in Australia. Number porting allows you to quickly transfer an existing phone number or service from one provider to another in a few steps. 

How does a Sim Swap Scam work?

Mobile phones will not work without a Subscriber identity module (SIM). SIM cards store user data in Global System for Mobile (GSM) phones. GSM phones without SIM cards will generally not connect to any mobile network except for emergency calls. This is why your phone is primarily useless when you remove your SIM card unless it is on WiFi.

There are two types of SIM swap fraud.

  • The first is based on social engineering directed at the target and the mobile phone carrier.
  • The second technique includes an insider, usually a rogue mobile carrier employee, but this is less common.

The process begins with the SIM swap threat actor collecting personal information about their intended target. This is often achieved by buying information from the dark web or a criminal organisation or using phishing emails or social engineering to impersonate the target.

If your mobile phone number and other personal information have previously been breached, you are at increased risk of Sim Swapping.

Scammers can also use social media profiles to gather relevant information that helps them impersonate a target. For example, a person’s high school, family members and mother’s maiden name are often apparent on a social media profile. They are also common answers to security questions.

Once the threat actor has a good target profile, they then contact the target’s mobile carrier, impersonating them and claiming to have lost or damaged the SIM card associated with the target’s number. They request that customer service activate their new SIM card or ask for help switching to their new phone.

Once the SIM card swap scam occurs, the threat actor receives all phone calls and SMS intended for the target’s phone, including any one-time passwords.

They can then set up new accounts in your name, for example. You may not be notified if they do so at your existing bank.

What are carriers (Telstra, Optus, Vodafone) doing about it?

Telecommunications are regulated in Australia by the Australian Communications and Media Authority (ACMA). The ACMA defines standards around the process for number porting and helps enforce those processes across all Telcos.

The rules are changing to keep up with the scams and protect Australians. For mobile phones, the ACMA has implemented the following standards:

  • Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020
  • Telecommunications Service Provider (Customer Identity Authentication) Determination 2022

All telcos in Australia are required to follow the standards. Most telcos provide information about how they attempt to prevent these scams. :

  • Telstra has posted about it here.
  • Optus here.
  • Vodafone didn’t appear to have a dedicated page, but they do have a page for reporting fraud.

How to prevent SIM swapping?

There are several ways you can protect yourself and avoid SIM swapping:

Porting2

If you are worried about the security of your pharmacy systems and want to know you can improve your pharmacy security, speak to your Corum Customer Success Manager or contact us on 1300 669 865.