Cell phones were originally created with one purpose in mind – to communicate more frequently and conveniently with one another. They were not intended as a method to definitively authenticate a person’s identity, but in the era of digital transformation, they’re expected to do just that. Increasingly, phone numbers are tied to people’s online identities, and phone companies relied upon to act as a security measure. Like social security numbers (SSNs), today our mobile digits follow us no matter how many area codes we may live, becoming another de facto personal identification number.
Unfortunately, in the digital age, mobile numbers, like SSNs, have become very easy to steal. SIM card swaps, a scam in which hackers steal mobile identities, have become more prevalent. In this form of social engineering, attackers pose as the user to the target’s phone company and convince customer service to switch the target’s phone number to a SIM card they own, giving them the ability to then masquerade as the target. This also gives the attacker the necessary means to bypass multi-factor authentication measures, since phone numbers have become the default secondary verification method.
SIM swapping has been used to hijack the online personas of politicians, celebrities and notables like Twitter’s CEO Jack Dorsey. However, although SIM swapping first became popular for gaining access to social media accounts, hackers soon realized they could use it to access a wide array of sensitive digital information, such as through email and financial accounts. SIM swaps are a serious problem because they require minimal technical effort on the part of the attacker. In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month. Such thefts involved all four of the major mobile carriers, and these numbers continue to increase.
Very quickly, cell phone numbers have become an easy to breach digital identity key. A comprehensive SIM swap fix requires fundamentally rethinking the role of phone numbers and responsibility of the companies behind them, which won’t happen in the short term. In the meantime, by using biometrics, we can turn users into security’s strongest link, helping them stop attacks by just “being themselves.” By authenticating users based on their unique physical behaviors, rather than a mobile number, we can limit the risk of SIM swapping attacks.
To learn more about how banks, financial services, fintech, retail and other organizations are using behavioral biometrics to prevent abuse of phone numbers, contact us here: https://www.behaviosec.com/contact-us/.