International Peer-Reviewed Journal

Open Access

ISSN: 2581-8503

whiteblacklegal@gmail.com
+91 9990670288
white black legal international law journal ISSN: 2581-8503

Peer-Reviewed Journal | Indexed at Manupatra, HeinOnline, Google Scholar & ROAD

ALL ABOUT SIM SWAPPING: A COMPREHENSIVE OVERVIEW BY: SANTHIYA K & MAHALAKSHMI S

  • Home
  • ALL ABOUT SIM SWAPPING: A COMPREHENSIVE OVERVIEW BY: SANTHIYA K & MAHALAKSHMI S
ALL ABOUT SIM SWAPPING: A COMPREHENSIVE OVERVIEW BY: SANTHIYA K & MAHALAKSHMI S

ALL ABOUT SIM SWAPPING: A COMPREHENSIVE OVERVIEW

 

AUTHORED BY: SANTHIYA K

SASTRA DEEMED UNIVERSITY,

 THIRUMALAISAMUDRAM, THANJAVUR,

TAMIL NADU – 613401.

MAIL ID: 125117037@SASTRA.AC.IN                                                                       

PHONE NUMBER: +91 9344482965                                                                                                          

 

CO-AUTHOR: MAHALAKSHMI S

SASTRA DEEMED UNIVERSITY,

THIRUMALAISAMUDRAM, THANJAVUR,

 TAMIL NADU – 613401.

MAIL ID: 125117028@SASTRA.AC.IN

 PHONE NUMBER: +91 9025314423

 

Abstract

SIM swapping frauds[1] are a relatively new form of cybercrime that has seen a surge due to the increasing virtual lifestyle prompted by the COVID-19 pandemic. SIM swapping is a criminal modus operandi that involves copying a SIM card to take over a mobile service subscription and access sensitive personal and financial data. This new crime poses significant security risks that necessitate comprehensive study and countermeasures to prevent and detect it. The study of SIM swapping frauds examines related cases around the world, categorizes them according to their specific Modi operandi and initial responses of national authorities, and proposes pre-emptive and preventative measures to address this new threat. Subscriber authentication procedures involved in replacing a SIM card is vulnerable to identity theft, particularly in jurisdictions which have implemented ESIM. SIM swapping involves three primary steps: personal data theft, fraudulent copying of a SIM card, and exploitation of falsely obtained mobile services for perpetration. Superimposed fraud is a type of SIM swapping fraud that burdens call charges on the victim's account. Therefore, detecting and preventing SIM swapping fraud is crucial to ensure the security of customer accounts, and governments should enforce stronger user authentication and information security regime for mobile carriers, introduce an online payment system devised with a data-sharing mechanism connecting mobile carriers and financial services, and raise public awareness of SIM swapping and information security in general.

Introduction

Technology has grown rapidly in the last few decades, which has led to drastic improvement in telecom and financial services. This has been both a boon and a bane because of its help in various fields, whether it be education or infrastructure, and it has led to various kinds of cyber fraud. Smartphones have been mostly used by opulent in past decade but due to advancement in technology it has become everyone’s need. If you have ever actually missed your phone, you understand the desperate, sinking feeling of searching through all of your pockets and luggage while fearing. Can anyone see my phone?  Another means, known as SIM swapping, allows you to misplace your phone without ever taking it out of your pocket. In the last six months, an organisation in India has seen an average of 1783 assaults per week, compared to 1645 attacks per organisation. The intention here is to steal personal data, which can be used by cybercriminals later in the APAC area, according to Check Point Threat Intelligence Report[2]. The intention here is to steal personal data, which can be used by cybercriminals later. Further, according to India's Computer Emergency Response Team (CERT-In), both the overall number of ransomware assaults and phishing events have climbed in India from 280 in 2020 to 523 in 2021.

Sim Swapping meaning

SIM is the abridged form of subscriber identity module, which is a small, removable chip card used in a mobile phone. Each SIM card is unique, and synchronised with a mobile account.                                                                                                                                       A SIM swap scam, also alluded to as a port-out trick, SIM splitting, smishing, sim jacking, or SIM swapping[3], is a type of account takeover fraud when a SIM fraudster uses the victim's identity to convince their mobile service provider to move their phone number to a SIM card they own, giving them ownership of the number. Once they possess this, they can successfully perform any SMS-based two-factor authentication procedures for the accounts connected to that number, assuming total control over the phone and the affected accounts. With this, the attacker may be able to access social media profiles, bank accounts, contact lists, emails, text messages, and other private and personal data, among other things. Hackers frequently use access to credit card data, bank accounts, and even cryptocurrency wallets for financial gain as the primary motivation for SIM swap fraud.

How Does a Sim Swap Work?

Subscriber identity module (SIM) cards store user data in the Worldwide Framework for Mobile (GSM) phones. GSM phones without SIM cards are not authorized to use any mobile phone network. Unless it uses Wi-Fi, your mobile phone will be completely dead when the SIM card is removed. After a SIM swap, the victim will no longer be able to receive text messages or phone calls that were made possible by their original carrier. Instead, these calls and texts will be forwarded to the attacker, and once Wi-Fi is operational, carrier-based internet and telecommunication will stop. SIM swap fraud can be done in two ways. The first technique[4] involves social engineering, which is directed at both the victim and the mobile phone carrier. The second technique focuses on an insider. Typically, the primary strategy which does not require insider help is the way the sim swap scam works. In this technique, the SIM swap scammer begins collecting individual data about the victim. This information is collected from organized criminals, with their own phishing emails, or by using social engineering to directly impersonate the victim through the fraudsters, and some personal data of the victims such as birthdays, passwords and so on are purchased from the sellers of leaked and stolen data from the dark web. Scammers usually use social media profiles to gather relevant information that helps them to impersonate a victim. Usually, after collecting the required data, the attacker tries to contact the victim’s mobile carrier, impersonates them by claiming that he/she, had lost or damaged the SIM card associated with the victim’s number, and then he/she requests the customer service to activate their new SIM, card, or sometimes just asks them to help to switch to their new mobile phone .The attacker starts to receive all phone calls and SMS intended for the victim’s phone, including any one- time passwords, and the phone loses connection to the network after the Sim card swap scam takes place which enables the fraudsters to gain access and circumvent account- linked security features that rely on calls or text messages. After this the scammers set up new accounts in the name of the victim and when it is done at victim’s existing bank, he/she will not be notified. This technique is usually used by the fraudsters in commission of sim swap scams. The second technique focuses on an insider, usually a rogue mobile carrier employee The second technique is being rarely practiced by sim swap fraudsters

 

SIM Swap detection

With the following signs which are mentioned below, the victim could detect[5] the SIM Swap scam and become alert. More often, these signs have helped the victims in detecting SIM swap even before the scammer contact the mobile operator. The signs are

  • Obstruction from sending or receiving text messages or making phone calls

Once the SIM Swap is done, the victim will no longer be able to receive or send text messages or make phone calls. This is because the victim’s phone number is in the control of scammers.

 

  • Loss of mobile service

The other way in which SIM swap can be detected is when the phone of the victim is notified with “no service” or “search message”.

 

  • Notification regarding phone number activation on a new device

The victim will be notified when his mobile number is activated on a new device. Usually, this kind of notification will be sent by the mobile carriers often to apprise their customers when their SIM Card or phone number is activated on a new device. This is done for security purpose.

 

  • Strange activity on social media

When one notices bizarre activities on social media accounts, it may be due to SIM Card hacking. These odd actions occur because scammers may use sim swapping to

access a person's social media profiles in order to use their false identities to defraud their friends or family members of money or for any other reason.

 

  • Denial of access to accounts

One will not be able to access their accounts since the hacker tends to usually change his/her login credentials as soon as they get full control over their account.

 

  • Notification of bizarre bank activities

When one gets notification regarding withdrawals, wire transfers, notice purchases which is not done by them, then this may be due to SIM Swap. Since the ultimate goal of SIM Swap scammers is to access and gain from the victim’s accounts/funds.

 

Steps to be taken if you get SIM swapped

The necessary steps[6] that are to be taken when your phone is sim swapped are given below:

  1. Call your cell phone company
    You must use someone else's phone or call using Google Hangouts/Voice, Skype, or other internet-based calling service that does not require a number.
    Explain that your phone number was ported to a SIM card you don't control and try to guess when this happened. Then contact your telephone company.
  • For turning off your phone number so it does not work at all
  • If the number can be transferred back to the SIM. They will probably require you to come in person to one of their stores, but there is no harm in asking.
  • For getting Agent's name and ID number, date, and time of the call
  •  To get a Case ID number or support ticket number
  • For your wireless service provider to keep all logs related to your account.

The website where you can report regarding sim swap scam:http://cybercrime.gov.in.

 

2). Suspend all your accounts                                                                                                 

All your accounts should either be locked or frozen. Tell your bank that you want to freeze your account for a short time. To start with, make a list of accounts you will want to secure first. Work your way down the list and put a hold on any account with potentially sensitive information. The fraudster could have changed your passwords, so if you are able to cancel the account through a phone call instead of going on in, do it.

 

3). Make 2FA disabled and beef up security                                                                        

Change your settings and deactivate the 2FA feature for any account you have been able to sign into. To delete all recovery messages or phone numbers, too. Then your password needs to be changed. Before you do anything and after, take a photo of everything that you are doing. If necessary, you want a large number of records to be shared with law enforcement. Replace a 2FA phone number with one that the attacker has no access to for each account. To this end, allow as many security features and notifications as possible. Take screenshots of all accounts which are connected to your id and then remove them all. Make sure you get your financial information safely.

 

4). Set up security features                                                                                                  

You can set up specific security features that are available to you in your bank, or by other services holding money and cryptocurrencies, such as PayPal for example. Make sure you do not link any bank accounts, withdraw addresses, and credit cards. You must also remove all confirmed devices and log out of every active session.

 

5). Go back and review your accounts                                                                                                                                Once you ’ve stopped the bleeding a bit, go back through your accounts and look for any redundant word you did not see the first time. Search for suggestions that the scammer penetrated your account or changed anything. Pull exertion logs from each account as well.

 

6). Get in touch with your phone company                                                                                      

You should call your telephone company again to see if they have any news on your case or more information for you. In addition, talk about how to secure your account so that you do not become another victim of SIM switching.

 

7). Report it                                                                                                                               

You can help prevent this from happening to other people in the future by reporting an incident of SIM switching. In general, if you are in the U.S., local law enforcement will not be able to do much and so report it to IC3 instead.

 

What you need to know about preventing a Sim swap

In order to avoid[7] SIM swapping, you can take the following precautions:

  • Modify online behaviour: You should be careful of social engineering attacks, such as phishing emails that can be used by con artists to gain access to your personal data

and impersonate you. To reduce the risk, you'll need to minimize your presence on the Internet.

  • Enhance account security: To enhance the security of your cell phone account, you will need a solid and unique password as well as questions and answers that are known exclusively to you.
  • Use PIN codes: Set up a unique PIN or password for your communications, so that you can add an extra layer of protection through the carrier. It's available through AT&T and Verizon T Mobile, but a PIN that can be changed is required. You should never use a clear PIN, e.g., manager.
  • Without your phone number, you can create IDs: Avoid using the phone number alone as the basis for authentication of identity and security, including SMS. It is vulnerable to SIM swap fraud and other attacks, and the text messages are not encrypted.
  • Alerts: If this option is offered by your phone carrier, you should choose to be notified as soon as a SIM card has been reset on your account. If you are looking to use the internet for bank, retail, and other business purposes, look into people who use behavioural analysis technology in order to detect compromised devices and call-backs so that identity thieves can be deterred.
  • Better two-factor authentication: The swapping of sim cards is often cited as a reason against two-factor authentication. However, that is not the case. In fact, the use of strong authentication and a security key to confirm physical validity provides a defence against SIM swapping fraud. Physical authentication is more secure than standard 2FA because it requires something you know, such as a password, plus something you have: a physical token. For a hacker to get access, he's going to have to physically take your token. 
  • Strong authentication: In the context of an MFA implementation, it is crucial to ensure that at minimum administrative functions are covered by NISANIST Assurance Level 2. It denotes both something you possess and something you know, such as a code or password, a push notification, or an OTP produced by a registered device. However, as we have previously indicated, it is crucial to note that some of the elements are far more secure. For the most of essential assets, raise to NIST Assurance Level-3 when practicable. This refers to two-factor authentication (2FA) using a hardware-based cryptographic token, such as a FIDO key or smart card, coupled with something you know, such as a password. Strong authentication helps you establish confidence in your users' identities. If user identification and infrastructure are more reliable, social engineering assaults through SMS or telephone may not be as possible.
  • Go phoneless: It is worth attempting to wipe out your phone number entirely, if possible, in the case of sensitive accounts. That may be a challenge at scale, but in some cases, it is necessary to reach high value objectives.

 

 

 

 

The role of social media in SIM swap fraud

When they attempt to close a SIM swap scam, scammers can get information about you from your social media[8] profiles which might help them in creating an impression of you. Say the answer to your security questions is your mother's birth name or high school mascot. This information could be found in your Facebook profile by a fraudster. However, there's some good news for us: you can also be alerted to being a victim on the Internet.

 

 For example, imagine a famous case of SIM swap fraud against Twitter CEO Jack Dorsey. Once the fraudster gained access to Dorsey's mobile number, his Twitter account was hijacked. For the 15 minutes it took to regain control of Dorsey's account, the hackers continued to tweet offensive messages from his Twitter account.

 

 What's the way hackers gained access to Dorsey's phone number? Somehow, they convinced Dorsey's phone company to essentially swap SIM cards and assign Dorsey's number to the SIM card and the phone. They were then using the Cloud hopper text to tweet service, which allowed them to send their messages via Twitter.

 

SIM swap scams are on the rise

According to the Federal Bureau of Investigation, scammers are turning more often to SIM swap scams. According to the FBI, 1,611 cases of SIM substitution have been reported in 2021. Over $68 million has been lost as a result of these crimes. Between January 2018 and December 2020, the FBI received only 320 complaints about SIM swapping, which resulted in a loss of approximately $12 million for victims. The Federal Bureau of Investigation has warned that SIM card switching is becoming more of an emerging[9] fraud, which can endanger the individual identity and balance in your bank account. A number of reports have recently come to light, which show that tens of millions or billions of dollars were withdrawn from various accounts as a result of SIM swapping. The SIM exchange tool is becoming more popular with cybercriminals for its effectiveness and ease of use.

 

An instance of this fraud from recently-A user from a Tampa resident discovered in January 2022 that he was no longer able to use his Coinbase account, which allowed users to exchange cryptocurrencies. The man later learned that he could no longer make phone calls or send texts using his smartphone, according to a report from WFTS in Tampa Bay. The man's phone number was taken by scammers, who also got his two-factor authentication code. After accessing his Coinbase account with this code, the con artists stole around $15,000 worth of cryptocurrency.
According to CNET, a comparable incident occurred with another victim the previous year. Apparently, after acquiring the victim's phone number, scammers gained access to his Coinbase account and used it to purchase Bitcoin worth $25,000 using the victim's two-factor authentication code.

 

Recent Legislative Development

Recently, the department of telecommunication issued a notification[10] on 14th November 2022 to all the sim service providers that, in case of new sim cards is issued, in case of swapping or replacement, then in addition to the process to be followed for the same, the SMS facility, both income and outgoing, will be barred for a period of 24 hours. The following instructions shall be implemented by all licensees within 15 days from the time of activation of a new SIM card. After perpetration of these instructions, there will be a 24- hour time gap before the offender can use the sim to gain access to banking services, as for any banking service, whether it's net banking or logging into UPI apps, requires OTP to be filled, in case of, net banking for login purpose and for logging into UPI apps the user is  needed to  shoot a communication to  spark UPI id and in the meantime when the  stoner isn't  entering any sim network services he has sufficient time to  communicate  the service centre or  client support for help and if it  set up that the sim is  shifted in unauthorized and fraudulently manner prompt action can be taken in regard to the same and the fake sim can be  incontinently cancelled, and implicit fraud that might have  passed due to the same can be avoided.

 

 

 

 

 

Case law

A Kolkata business person[11] was cheated out of over INR 72 Lakh in an Internet SIM swap fraud. In connection with this case, two people were taken into custody. According to a report from Telegraph India, cyber criminals have obtained access to the SIM cards of an Indian business person and transferred over 72 lakhs into his bank account. The two were identified as a pair; Sanjib Haldar and Rajat Kundu. They have been captured on the northern edges of Kolkata from their homes in Daksh Eswar and Sodepurshine. They were involved in a SIM swap case that resulted in the loss of 73.42 lakhs to the victim," according to the police report obtained by this publication. According to a complaint filed in December 2022 by the complainant, he had lost an amount of over 72.42 lac on six unauthorised transactions through his post office business in West Bengal. After the investigation, it was established that thieves used SIM Swapping to acquire a victim's SIM card and withdrew funds without his knowledge. Such a method of doing this is known as SIM swapping. First of all, they're creating fake identity documents for their target. They then use that person's identification paper to report the loss of that person's SIM card to a police station. After making a general diary entry, they should contact the telecommunications services provider with their request for a new SIM. The old SIM card that is still owned by the holder will be blocked automatically when a new SIM card is issued," said an officer of the anti-bank fraud section. The victim had not raised any concerns about the blocking of his SIM in this case, since he did not know it. The police want the public to be careful about their SIM cards, and if they think there's been some kind of scam, inform the authorities as soon as possible. 

 

Sanjib Haldar and Rajat Kundu were arrested for their involvement in the SIM swap fraud case by the Lal bazar Detective Department's Anti Bank Fraud Unit. The police have asked people to remain vigilant and not share their personal information with anyone so that such frauds don't happen. It was also recommended by the police that people create a password for their SIM cards, so as not to leave them unattended. In order to prevent such fraudulent activities, it has reassured the public that they are taking appropriate action and tracking down other members of the group.

 

 

 

 

Conclusion

This article focuses on one of the most prevailing cybercrimes in recent days, i.e., sim swap fraud and deals with its working, detection, prevention, and recent legislative development regarding sim swapping. since, sim swapping is on the rise, necessary steps are needed to be taken by both government and private individuals to curb sim swap scam. As soon as possible, the government should enact legislation and implement it. Awareness should be created among consumers relating to a sim swap scam so that the consumers can be prevented from being exploited by the fraudsters. An individual should never share OTPs, PINs, or any other codes that they receive via SMS or other channel and should never share account number or credit and debit card details on a public platform. The telecom companies like Vodafone-Idea Cellular BSNL, which has a weak security system, should increase their security system, which includes two factor authentication and any other necessary requirements. In case, if a person gets sim swapped, then he should report the case either to his /her card issuing bank or reach out to the nearest cybercrime. One can also send an e-mail to cyber cell to report the case.

 

 

[1] Kim, M., Suh, J., Kwon, H. A Study of the Emerging Trends in SIM Swapping Crime and Effective Countermeasures. (n.d.) Retrieved May 8, 2023, from ieeexplore.ieee.org/abstract/document/9900510/

[2] SIM Swapping on the rise: Here ‘s how to avoid being a target; (July 13,2020)

https://indianexpress.com/article/technology/tech-news-technology/sim-swapping-how-to-avoid-being-a-target-8026237/

[3] M.J. Kelly, Mozilla explains: SIM swapping (April 07,2021), https://blog.mozilla.org/en/privacy-security/mozilla-explains-sim-swapping/

[4] What is sim swap https://www.yubico.com/resources/glossary/sim-swap/

[5] What is SIM swapping and how does the hijacking scam work? (January 05,2023) https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-sim-swapping

[6] SIM Swapping scams: How to avoid them and what to do if you get scammed https://whatismyipaddress.com/sim-swapping

[7] Anuradha Singh; What is SIM Swap Fraud &how to prevent it; (June,18,2020) https://indianexpress.com/article/technology/tech-news-technology/sim-swapping-how-to-avoid-being-a-target-8026237/

[8] What is sim swapping? SIM Swap fraud explained and how to help protect yourself https://us.norton.com/blog/mobile/sim-swap-fraud#

[9] What is sim swapping? SIM Swap fraud explained and how to help protect yourself https://us.norton.com/blog/mobile/sim-swap-fraud#

 

 

[10] Rahul Shamota, Sim Swapping frauds are at the surge in India;(December,06,2022) https://www.legalbites.in/topics/articles/sim-swapping-frauds-are-at-the-surge-in-india-359191

[11] Ankita Chakravarti; Kolkata businessman loses Rs 72 lakh in SIM Swap fraud, two arrested, here’s how you can stay safe (April 8,08,2020) https://www.indiatoday.in/technology/news/story/kolkata-businessman-loses-rs-72-lakh-in-sim-swap-fraud-two-arrested-heres-how-you-can-stay-safe-2357387-2023-04-08

-->

Let's Start With Publication

SUBMIT YOUR PAPER FOR REVIEW

Submit