Reprinted from New Scientist:
"Since April 2019, there have more than 300 cases in the UK of attacks in which people try to fraudulently obtain codes that would let them gain control of someone’s mobile number, the UK’s data watchdog has revealed in figures that suggest the practice is becoming more common.
The process of SIM-jacking, or SIM-swapping, involves an attacker contacting a person’s mobile network operator and fraudulently obtaining a porting authorisation code (PAC) enabling them to switch the victim’s phone number to another phone on a different network.
UK-based food-writer Jack Monroe recently had about £5000 stolen from her bank account after someone managed to hijack her mobile number.
Figures released under freedom of information rules to New Scientist by the UK Information Commissioner’s Office (ICO) show that there were “over 300” reports of PAC fraud since the start of April 2019. The watchdog told privacy campaigners last month that there had been 399 cases in total since the start of April 2018, which means most reports have been in the past nine months.
“SIM-swap fraud is devastating, as we saw with Jack Monroe. There is the harm. You mustn’t just think in terms of financial harm, there’s the anxiety and there’s the distress this causes, the absolute inconvenience while you’re without your phone,” says data protection consultant Pat Walshe at Privacy Matters.
It isn’t clear how many of the 300-plus cases of PAC fraud since April involve SIM-jacking. The ICO says it only identified 11 cases with the term, but says the figure can’t be taken as reliable because it may have missed variations on the phrase when searching its records.
“We don’t know which operators have reported what and we don’t know whether the fraudulently obtained PACs [number] is in fact SIM-swap fraud. We can only assume it is,” says Walshe.
Figures released by the City of London Police suggest that there is a growing problem. The number of annual PAC fraud reports to the national Action Fraud website and helpline doubled between 2016 and 2018, to 252.
Security clearance
SIM-jacking typically works by someone calling up a victim’s mobile network operator, armed with as much personal information about the person as possible. In Monroe’s case, for example, her date of birth was available on Wikipedia. The assailant then uses that information to attempt to pass security clearance with the operator in order to have them read out the PAC. That can then be used to port the number onto another SIM, giving the attacker control of the number.
The ICO doesn’t say how many cases were successful. Attempts by New Scientist staff to mimic the process – by trying to obtain a PAC for their own number using just their name, mobile number and date of birth – were rebuffed. One network operator wouldn’t give out the PAC without the caller reading out a code sent via text to the number to be ported. Another declined to give out a PAC via web chat, and a third wouldn’t allow the caller to proceed without a postal address.
However, some attempts clearly are succeeding in the UK, as Monroe’s case demonstrates, and globally, with the technique used to access the Twitter account of the social media company’s founder, Jack Dorsey. Mobile numbers have increasingly become the main way for companies and governments to authenticate a person’s identity, raising the stakes for losing control of the number.
Walshe, who worked for two decades in the mobile industry, says there is insufficient data being collected on the problem. He also says the sector isn’t doing enough to tackle the issue. One of the solutions he prefers is networks sending a verification text to the original number. He says security checks shouldn’t be using data that could be gleaned online. “No company should be asking for DOB and mother’s maiden name, [which are often a] matter of public record.”
Trade body Mobile UK said the issue is out of its remit and is a matter for individual networks."
