SIM Swapping; a simple but devastating kind of Cyber Crime

When we hear the term "cyber crime", we envision the cinematic portrayal of a young hacker tapping at a keyboard to gain instant access to other people's data.

Sadly this is not as far-fetched as we think it is. A method known as SIM Swapping is a very real cyber crime that results in millions of Dollars being stolen worldwide.

SIM-Swapping is the simple act of a ‘thief’ impersonating a “user” when they contact the service provider specific to a cellular number they have targeted. The scammer requests a "transfer" of the specified number to a new SIM card the hacker has activated.

Any security questions asked by the service provider to prove the validity of the request can be answered accurately by the scammer because they have the personal information of their targeted victim. When the provider sends the Authentication Code to the specified cell number, the real user is unaware that the code has been intercepted, and equally ignorant that the scam syndicate now has access to all their data.

The most notable victim of SIM swapping crime is the cryptocurrency exchange, FTX*.

Allegedly a female member of a SIM-Swap gang impersonated an FTX executive, and within hours the hackers syphoned an estimated $400 Million from the exchange, leading to FTX filing for bankruptcy a few days later.

According to a statement by the new CEO, John. J. Ray III, the breach was due to the “complete failure of corporate controls”.*

Two Factor Authentication tokens despite being dynamically created, are still interceptable, and personal data is still susceptible to brute force attacks and credential stuffing**. Ultimately, a computer program cannot differentiate between a trusted, or malicious request for access. If the correct sequence of zeroes and ones is provided, with security questions accurately answered, the request is recognized as valid and allows the user access.

So, how do you prove that you are who you say you are when asking for digital access online, and critically, how do you mitigate the risk of digital identity and financial theft?

The solution is Synapser’s flagship secure mobile software application, Entry*.

Entry is a user-friendly mobile application that proves that the user requesting access online, is physically, legally documented, and digitally, one and the same. Entry only allows self authentication to an application by a validated user. There is no third party authentication generated token required.

If the user physically, and in real time, does not match their authenticated government identity documentation, and the dynamic digital key of the device that the identity was registered on, Entry rejects the user as invalid.

Entry is a closed loop authentication process which mitigates the risk of fraudulent interception. Entry integrates seamlessly with the device biometrics, geolocation tracking and other inherent security features of a device to enhance the users safety.

Additionally, and of importance considering the modus operandi of SIM swapping cyber criminals, Entry software builds up a digital identity from a variety of elements on the device, and for its authorisations requests utilises SNS (Secure Network services), and does not use SMS’s which rely on the device SIM or IMEI number as a unique identifier. In the event of a SIM card being swapped or cloned, the digital request will be deemed invalid.

Synapser’s vision is to allow everyone access to a device and become part of the digital evolution, whilst empowering people to live safely in a digital world. - Please change to " Synapser's vision is to provide the global community with access to mobile devices ensuring their inclusion of the digital evolution, and to empower people to live safely in a digital world.

*Reference Links

https://www.synapser.com/products

https://en.wikipedia.org/wiki/FTX

https://en.wikipedia.org/wiki/John_J._Ray_III

https://pacer-documents.s3.amazonaws.com/33/188450/042020648197.pdf/ 

** Definition

Brute Force attacks are when hackers apply multiple passwords against multiple accounts. Credential stuffing refers to the way hackers apply known username and passwords against websites..

www.synapser.com


Ross Joughin