It's like Invasion of the Body Snatchers - for smartphones.
At wireless carriers such as AT&T, a new hacking threat has emerged involving the illicit swapping of SIM cards, the plastic chips that authenticate customers on mobile networks. Criminals call users and impersonate the companies to glean personal information, which they use to hijack the chips and customer accounts, paving the way for online banking fraud and international calling theft.
The scam represents a growing threat to the global telecommunications industry, which is projected to lose US$46.3 billion to fraud this year, or about 2 per cent of total revenue, according to the United States-based Communications Fraud Control Association. Account takeovers such as SIM-card switches are one of the most common types of fraud, and may rack up US$3.6 billion in losses this year, almost triple the amount in 2011, the association estimates.
"Attackers are definitely getting more advanced," said Lawrence Pingree, a mobile-security researcher at Gartner. "It's almost like stealing at a bank - going right in and doing it in person. It's very personal."
Like fraud attempts known as phishing, the SIM-card attacks start with a phone call or e-mail designed to elicit personal data from the wireless customer. The attackers do their homework in advance, researching victims' names and addresses and creating convincing stories. Once they have extracted sensitive details, such as social security numbers, they call the wireless providers and request to have the victims' SIM cards switched to new devices. The victims' phones go dead and the hackers' devices light up.
Scams against wireless carriers often involve stealing service for international calling. Having access to SIM cards also lets criminals intercept security codes sent through text message for online banking and other services, making more sophisticated identity theft possible.
SIM-card fraud was in its infancy and would become more prevalent as access to wireless networks expanded worldwide and people used smartphones more as their primary computing devices, said Marc Rogers, principal security researcher at Lookout. "It will evolve into something bigger," he said. "At the moment, you have some guys getting a low to medium yield with some tricks, and it will dawn on them they could do more."
The challenge for wireless carriers is distinguishing between a legitimate SIM-card swap and a fraudulent one. Customers switch SIM cards all the time when they upgrade phones, and with the right information, a scammer can complete the process over the phone in minutes.
AT&T said the scam affecting its network was being driven by groups selling the stolen cellular services online. "We're working to educate our customers on how to protect their information," the company said.