Wednesday, May 11, 2016

SIM swap fraud targets SMS-based two-factor authentication

Security is a constant cat-and-mouse game between developers/defenders and criminals. I and others have long recommended "two-factor authentication" for any sensitive accounts (email, banks) - you must enter both a password and a code generated either by a mobile app or sent to you via SMS/text message. It is a significant hurdle for crooks.

This method of security is becoming common enough for criminals to come up with ways to defeat it. One such method seen lately in the UK is a so-called "SIM swap" - the crook gains enough information to impersonate you, then calls your mobile carrier to claim your phone has been stolen. Your phone number is re-activated, but on the crook's phone - so the crook now receives the SMS or text codes meant for you.

Multi-factor authentication that uses a mobile app (or a separate token generator) is stronger security, but if SMS is what your bank offers, I still recommend enabling it. It's still far better than just a password.

What you should do

  • Enable any two-factor or multi-factor feature provided by your bank. A hardware token (a physical device generally about the size of a USB flash drive) is the strongest solution, though it's probably not practical to carry token generators for every important account. A mobile app (Google Authenticator and Duo Mobile are popular options) is the next best thing, and even an SMS or text message code still raises the bar that a criminal must overcome. is a great website with links to "how-to" documentation at many, many banks and service providers.
  • Be mindful of the personal information you share publicly. The more a criminal can learn about you (address, current location, date of birth, email addresses, children's names, payment card numbers, bank account numbers, etc.), the easier he or she can impersonate you to a service provider. If the identity thief can convince tech support that they are you, then for all intents and purposes, to that service provider they are you.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen