Sim Swap Fraud in Nigeria
Some of us have might have heard of a SIM Port Attack before, also known as SIM Swap Fraud. While this is not a new phenomenon, it is important for us to understand how this scam works and how we can prevent against it.
What is a SIM Port Attack?
Several telecom providers such as MTN, Airtel, Glo provide their customers with a service that allows the customer to request their phone number to be transferred to a new SIM card.
In most cases, this is a perfectly legitimate request that often happens when we misplace our phone or damage our SIM card.
A SIM Port attack occurs when a malicious attacker ports your phone number to another SIM card in their possession. This enables them to take full control of your phone line and receive confidential information such as One-Time-Password reset codes (OTP).
How does a SIM Port Attack Work?
A lot of people have a primary email account that is connected to several other online accounts such as Facebook, Instagram, Twitter etc.
Most times, we usually provide a mobile number that can be used to recover our email password should we ever forget it (and we often do). If an attacker successfully ports your SIM to theirs, your phone signal will go completely blind as your SIM card has effectively been deactivated.
The attacker would then initiate a password reset on your email account. A verification code is then sent from your email provider to your phone number which is intercepted by the attacker, as they now control your SIM card. This would enable an attacker to successfully reset your password and take full control of your email account.
The attacker can also use a password reset to take over any accounts that are managed via that email address e.g. bank accounts, social media accounts since the password reset link would be sent to the hijacked email address. They could also choose to perform more advanced man-in-the-middle attacks such as Business Email Compromise Scam/CEO Fraud.
How can an Attacker Transfer my Mobile Number to their own SIM Card?
Typically, an attacker can do this in one of three ways;
- Gather enough personal information about you to successfully impersonate you when speaking with the customer service representative at the telco.
- Gains unauthorized access to the telco’s database with allows them to port your number to a device they control.
- Bribes an insider at the telco. to bypass security checks and port your phone number without authorization. This is often how this attack is executed in Nigeria.
How do we Prevent Against SIM Port Attack?
- Using SMS based 2FA is not enough. It is much safer to use a hardware token or software-based 2FA apps like Google Authenticator or Authy whenever possible.
- Reduce the urge to needlessly share online sensitive or personally identifiable information such as birth date, location etc. Social Media is the number one source attackers used to gather information about targets. Besides is sharing so much information online really that necessary?
- It is a good practice to create a secondary email address for your critical online identities (bank accounts, social media accounts, crypto exchanges, etc.) rather than binding everything to a single email address. Do not use this email address for anything else and keep it private
Chinua Katchy is a Cybersecurity Engineer working at Layer3. He is very passionate about cybersecurity and specializes in areas such as Vulnerability Management, Penetration Testing and Incident Response.