Cert NZ — the New Zealand Government body that monitors and advises on cyber attacks — is warning New Zealanders to be wary of SIM swapping. It has uncovered the first of these to hit the country, with victims suffering, on average, losses of $30,000.
In a SIM swapping attack — also known as SIM hijacking — the attacker uses social engineering techniques to persuade a mobile service provider to transfer the victim’s phone number to the attacker’s SIM card. Then, if the attacker has been able to gain the primary credentials to access the victim’s bank or other account, the attacker can to validate two-factor authentication that relies on a numeric code being sent via SMS to the victim’s phone and transfer money from the account.
In Q4 of 2019 Cert NZ says it received multiple reports of successful SIM swap attacks — the first for more than a year. “Anecdotal reports show that incidents of SIM swapping are increasing, as motivated attackers find ways to circumvent additional security controls,” CERT NZ said.
Cert NZ also suggested that, given the effort required to mount and exploit a SIM swapping attack, the incidents were the work of motivated attackers focused on particular individuals. It declined to provide any further details of these attacks.
It said there was little individuals could do directly to prevent SIM swapping, but they could reduce the chances by keeping very tight control on the sort of personal information attackers use to dupe mobile operators into porting the number.
Australia moves to prevent SIM hijacking, but NZ has not
In Australia the telco regulator, the Australian Communications and Media Authority (ACMA), last month introduced new rules requiring telcos to add additional identity verification when transferring (porting) customers’ mobile numbers.
The new Telecommunications (Mobile Number Pre-porting Additional Identify Verification) Industry Standard 2020 contains provisions that should prevent almost all SIM hijacking. It requires an agent — in store or in a call centre — to call the mobile number that the caller wants transferred to make sure they are calling from that number. Or the agent can send a code via text message which the recipient must then enter.
In New Zealand, mobile number porting is regulated under the Telecommunications Act, and administered by the Commerce Commission and administered by the New Zealand Telecommunications Forum (TCF). The current rules were put in place in 2016 and are due to expire in December 2021. They do not impose any requirements on service providers to verify that porting requests are genuine.
The TCF has a Code for Transfer of Telecommunications Services when a service is being transferred between providers, rather than to a new SIM with the same provider. It puts the onus on the acquiring service provider to valid a customer’s porting request but does not prescribe any ways in which this is to be done.
The New Zealand telecom regulator ComCom told Computerworld that TCF is aware of the issues and has been working with ComCom to come up with a revised process to address such issues. “The TCF maybe under a bit of pressure” due to the current coronavirus-cased disruption in people’s ability to work, said ComCom spokesperson Simon Thomson.
More SMS phishing attacks and phone scams seen, too
CERT NZ also reported that, in Q4 of 2019, it had seen a large SMS phishing campaign targeting the customers of a New Zealand bank.
The campaign used an online bulk text messaging service to send text messages to 27,000 New Zealand mobile phone numbers, about 12,000 of these were customers of the bank.
It gave no details of the nature of the attack, or the damage it caused, saying only that it had coordinated a joint response with the bank, the Police and the Department of Internal Affairs to “protect the bank’s customers and stop the campaign before further harm was done.”
In other findings from the report: CERT NZ said it had seen an increase in scam calls trying to extract information from people. A large portion were tech support scams. Automated calls claiming to offer credit card holders an increase on their credit limit or notify them of a supposed suspicious transaction were also common.