INFO5301 NIST Digital Identity Guidelines
2. SIM-swap: A SIM swap attack leverages the legitimate process followed by mobile sub-
scribers when their SIM card is lost or damaged. The attacker knowing some basic details
of the target (e.g. ID number, address etc.) calls the mobile operator, answers some security
questions and requests the transfer of the mobile subscription to a fresh SIM card that is on
a device under the control of the attacker. After the transfer, the target mobile subscription
stops working and all calls and SMS will be received by the attacker’s phone. As a result,
the attacker can access the one-time codes sent by SMS authentication and can then access
the target’s bank accounts etc. after gaining any other login credentials from other means
such as social engineering.
3. Mobile number port-out: Again, attackers use already established legitimate procedures
that allow mobile subscribers to change their service provider from one network to another
whilst keeping their original mobile number (MNP– Mobile Number Portability). The at-
tacker creates an account with a different mobile service provider and request to port the
target’s number from the original network by providing some static authentication creden-
tials such as ID number. Once the process is successfully completed, the attacker has access
to the target’s SMS including OTCs sent for SMS authentication.
4. Interception by malware and trojans: An attacker can install malware on a user’s phone
that can intercept OTCs sent by SMS and send them back to the attacker in the background.
In 2016, the security company ESET discovered an Android malware variant that had this
capability to target the largest retail banks in Australia, New Zealand, and Turkey [5]. On
another occasion, Check Point Ltd. discovered a trojan named “EuroGrabber” which car-
ried out similar attacks in Eastern Europe and swiped approximately $47 million from over
30,000 customers [6].
[1] L. H. Newman, “Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup.”
https://www.wired.com/story/reddit-hacked-thanks-to-woefully-insecure-two-factor-setup/,
2019.
[2] A. Tims, “‘SIM swap’ gives fraudsters access-all-areas via your mobile phone.”
https://www.theguardian.com/money/2015/sep/26/sim-swap-fraud-mobile-phone-vodafone-
customer, 2015.
[3] A. Tims, “ATT SIM-Card Switch Scam.”
https://www.dos.ny.gov/consumerprotection/scams/attsim.html, 2018.
[4] L. H. Newman, “Fixing the cell network flaw that lets hackers drain bank accounts.”
https://www.wired.com/2017/05/fix-ss7-two-factor-authentication-bank-accounts/, 2017.
[5] ESET, “Android Trojan Targets Customers of 20 Major Banks.” https://www.eset.com/afr/about/newsroom/press-
releases-afr/research/android-trojan-targets-customers-of-20- major-banks00/, 2016.
[6] E. Kalige and D. Burkey, “A Case Study of Eurograbber: How 36 Million Euros was Stolen
via Malware.” https://www.checkpoint.com/downloads/product-related/whitepapers/eurograbber-
malware-bank-customers- millions-stolen.pdf, 2012.
Information Security Management Page 7of 9