How to protect against SIM card spoofing attacks?

Author: Cobo Vault security trainee

In September 2019, the network security company Adaptive Mobile discovered a serious vulnerability "Simjacker" in the SIM card. Recently, the company announced a list of countries vulnerable to Simjacker attacks, including 29 countries on five continents.

What is SIM card fraud?

What is SIM card fraud?

secondary title

How SIM Fraud Attacks Steal Your "Money"

We already mentioned the ways scammers get cloned SIM cards before. Fraudulent assets are often one of the main goals of attackers. In today's payment environment and account security environment, 2FA verification is often achieved through SMS verification codes, which also relies on the relatively complete real-name system in China. After gaining control of someone else's SIM card, the attacker can further obtain personal privacy information through similar icloud or email. Just ask, have you saved a photo of your personal ID card or driver's license in your mobile phone? These photos or information may have been silently submitted to your cloud storage account by a certain cloud software. After the attacker has completely collected this information, it can be used to withdraw your personal account assets; or simply use your identity information to obtain loans from multiple online lending institutions.

What's even more frightening is that the attackers don't need identity information at all because most users are trying to save trouble or don't understand basic security transaction knowledge. Only the mobile phone number, SMS verification code and password are needed to complete a series of steps such as transaction, withdrawal and issuance.

If your mobile phone suddenly loses signal in the usage environment and lasts for a long time, you must be more vigilant.

After multiple reboots to no avail, he contacted his local mobile operator, only to learn that the SIM card had been reported as "lost or stolen" and asked the author to activate it on another SIM card.

After multiple reboots to no avail, he contacted his local mobile operator, only to learn that the SIM card had been reported as "lost or stolen" and asked the author to activate it on another SIM card.

secondary title

1. Never use weak passwords

1. Never use weak passwords

After the attacker has your SIM card, you are only one step away from entering your PIN to withdraw money. So if you are using weak passwords, or passwords related to personal information, the last line of defense will be breached.

Do not use SMS verification codes as 2FA verification for your transactions!

In the current payment and transaction environment, some security precautions have applied IMEI identification technology. Every time a user logs in and makes a transaction, the system will verify whether the current IMEI is the device that has been logged in before.

3. Important accounts use 2FA verification similar to Google Authenticator

Do not use SMS verification codes as 2FA verification for your transactions!

Do not use SMS verification codes as 2FA verification for your transactions!

Do not use SMS verification codes as 2FA verification for your transactions!

4. You can consider using a cold wallet as the last line of defense to protect "coins".