FINAL WORD
the number. With a bit of social engineering
they also try to guess the voucher amount
based on what’s more popular in the local
market. And what about the last five calls?
One technique used by the fraudsters is to
plant a few ‘missed calls’ or to send an SMS
to the victim’s number as bait so that they
call back.
Sometimes the target is the carrier and not
the customer. This happens when a carrier’s
employees working in branches in small
cities are sometimes unable to identify
a fraudulent or adulterated document,
especially branches located in kiosks or
shopping malls, allowing a fraudster to
activate a new SIM card.
Ironically, most of these systems don’t use
two-factor authentication. Sometimes the
goal of such emails is to install malware on
the carrier’s network – all a fraudster needs is
just one credential, even from a small branch
from a small city, to give them access to the
carrier’s system.
The fraudsters fire in all directions;
sometimes their attacks are targeted,
sometimes they’re not. All a fraudster needs
is your number, and it’s very easy to find
it by searching through leaked databases,
buying that database from data brokers
(some of them are legal), or using apps like
TrueCaller and other similar apps that offer
caller ID and spam blocking, but which also
have some privacy issues and a name-based
search for subscribers. Sometimes your
number can be found by simply doing a
Google search.
The first sign that something is not quite right
is when you lose your smartphone signal
somewhere that normally has a strong signal.
WhatsApp is the most popular instant
messenger in a number of countries where
the app is used by fraudsters to steal money
in an attack known as ‘WhatsApp cloning’.
After a SIM swap, the first thing the criminal
does is to load WhatsApp and all the victim’s
chats and contacts.
Then they begin messaging the contacts in
the victim’s name, citing an emergency and
asking for money. In some cases, they feign
a kidnapping situation, asking for an urgent
payment – and some of the contacts will
send money.
Frauds using SIM swap are becoming
common in Africa and Middle East,
affecting countries like South Africa, Turkey
and UAE. Countries like Mozambique
76
INTELLIGENTCIO
have experienced this firsthand. The
implemented solution, by banks and mobile
operators in Mozambique, as a result, is
something I believe we must learn from
and encourage other regions to investigate
and apply, among other aspects, to mobile
payment methods of the future – as a
way to ensure that mobile phones do not
become an enemy in our pockets.
How not to be the next victim
• Voice and SMS must be avoided as
authenticity mechanisms
When possible, we recommend users avoid
two-factor authentication via SMS, opting
instead for other ways, such as generating
an OTP in a mobile app (like Google
Authenticator) or using a physical token.
Unfortunately, some online services don’t
offer an alternative; in that case, the user
needs to be aware of the risks.
• The new era of biometrics
Some operators have implemented
additional security mechanisms that
require the user to authenticate through
voice biometrics using a passphrase
such as ‘my voice is my password’ – the
technology works reasonably well, even
detecting if the voice is a recording, or
if the user has flu. However, the major
stumbling block that we observed is
the very low enrolment base. Besides,
it’s considered an expensive solution,
especially for emerging markets, and
requires some additional effort to
integrate with backend systems.
• Automated SMS: ‘Your number will be
deactivated from this SIM card.’
When a SIM change is requested,
operators can implement an automated
message that’s sent to the number
alerting the owner that there’s been
a SIM change request and if it’s not
authorised, the subscriber must contact
the fraud hotline. This will not prevent
the hijacking itself, it will instead alert the
subscriber so that they can respond faster
in the case of malicious activity. The main
drawback is that the subscriber may be
outside the coverage area.
Some carriers have implemented an
additional layer of confirmation for any
case of SIM activation, offering the
option of configuring a password in their
systems. This password will be required
for any changes associated with your
number, such as big changes in your
monthly bill or even when you need a
new SIM card. Talk to your carrier to
check if they already offer this additional
security for your number.
• Process improvement
As we mentioned above, some processes
contain weaknesses, especially in emerging
markets. It’s important to dissect all the
stages of the process and understand
what the underlying weaknesses are. In
some countries, there’s a thriving black
market that makes it possible to obtain
fake documents. These documents can
then be presented to operators as proof of
identity for SIM swaps.
• Activate 2FA on WhatsApp
To avoid WhatsApp hijacking, it’s of
paramount importance to activate 2FA
using a six-digit PIN on your device.
In the event of hijacking, you’ll have
another layer of security that is not so
easy to bypass.
• Request your number be unlisted from
TrueCaller and similar apps
TrueCaller is a crowdsourced phone
book. It allows people to be identified
through their mobile number. However,
as we mentioned before, fraudsters use
this tool to find out more information
about you. You can, and should, request
that your number is unlisted from this
global phone book.
Despite the fact that attacks on 2FA
with the use of tools such as Evilginx are
becoming more sophisticated, software
tokens still provide a reasonable level
of security by today’s standards. Whilst
there is no silver bullet solution, we believe
that declaring the death of SMS-based
2FA is the way to go. This is especially
true when it comes to online banking,
social media and email services. n
Fabio Assolini, Senior Security Researcher,
Global Research and Analysis Team,
Kaspersky Lab
www.intelligentcio.com