A new level of cyber crime has the ability to steal thousands of dollars from victims in a matter of hours – once a thief gains control of your mobile phone number.
Security experts have urged banks to move away from text message identity authentication, as online criminals increasingly expose a vulnerability in phone number retrieval systems.
The warning comes as a 20-year-old US college student faces 10 years’ imprisonment for conducting more than $US5 million ($6.9 million) in cryptocurrency fraud, after tricking mobile phone providers into transferring targets’ phone numbers to his own devices.
Presently, mobile phone companies enable customers to ‘SIM swap’ – a transfer of an existing number to a new SIM – in cases of lost mobiles or a provider switch.
In one case revealed to The New Daily, a budding hacker managed to gain control of a target’s phone number through the SIM swapping process, and attempted to steal tens of thousands of dollars from his bank account, in less than two hours.
Monash University’s Oceania Cyber Security Centre director Carsten Rudolph says hackers who have obtained enough personal information about a target can pass mandatory telco checks and exploit services that use text messages as an authentication tool.
“For me, the main problem is we use our phone numbers as a second authentication factor (2FA) for bank transactions or a means to recover accounts when we need to recover passwords,” he said.
“One of the main issues is it’s not a totally secure way to protect our services.
“For consumers, it’s difficult because they usually don’t have a big choice in ways that they can authenticate [bank account access].”
‘SIM swapping’ hack can occur in a matter of hours
A Queensland dentist, who chose to remain anonymous amid concerns over a repeat attack, told The New Daily he was at risk of losing $20,000 after becoming the victim of a SIM swapping attack in January.
He said the first warning sign came when he lost phone reception while driving home from work, before receiving a notification from his bank (Westpac) of the attempt to extract money from his account.
“I lost cell service first, and I thought it was because I hadn’t paid my bills, and it’s then that I realised my banking password got changed,” he said.
“It all happened in the space of less than two hours – it was quite alarming, and I didn’t have a phone service to make any calls.”
He said he found a roundabout way of regaining access to his email account, and noticed the notification from Westpac was deleted, before he received a string of threatening emails from his attacker.
Emails obtained by The New Daily confirmed his phone number was ported out from his Optus account to a Lebara account, after a scammer relayed ‘accurate’ information about his target.
He said the hacker most likely obtained his personal details via a malware hack, gained his email log-in details and accessed “a plethora of information about [his] personal and professional life”.
An Optus spokesperson told The New Daily the telco follows regulations set out by the Australian Communications and Media Authority to validate number port-out requests.
“By the time a fraudster requests a phone number port, the customer’s details have already been compromised – such as the customer’s bank account details and password, and personal information like their address, date of birth, or credit card and licence details,” the spokesperson said.
Westpac declined to comment on this individual case.
Moving away from text messages in two-factor authentication
Tom Uren, a senior analyst at the Australian Strategic Policy Institute’s international cyberpolicy centre, says an “arms race” initiated by increasingly sophisticated online criminals has left consumers in the lurch.
He says scope for telecommunications companies to improve their authentication processes exists, but costs outweigh the current rate of false SIM swapping.
“The security of 2FA relies on two underlying assumptions: That the SMS telecommunications network is secure, and that phone numbers can’t be stolen,” he said.
“I like the idea of having a uniform standard for how you verify a person is a person – a bank has to go through the 100-point identity check as an anti-money laundering measure, but there could be scope to use it to help protect mobile phone customers.”
How consumers can protect themselves
Dr Suelette Dreyfus, an academic researcher in cyberprivacy and security at the University of Melbourne, says two-factor authentication is borne out of consumers’ longing for convenience when it comes to protecting their privacy.
“The problem is [increasing protective measures] is a pain in the neck for the user and people want convenience over security,” she said.
“Mobile phone companies need to step up to the plate and improve their security processes to ensure this is less likely to happen.
“But it’s also the responsibility of financial and other institutions to help raise customers’ cybersecurity posture. They need to be caring about this, because people only use a digital environment if they have trust.”
Alternative measures to be explored include the use of additional in-device authentication software, such as Google Authenticator or a two-factor authentication device such as a YubiKey.