Electronic SIM provides criminals with a new mode of attack
Information security now!
‘SIM swapping’ has been an international topic of conversation for some time already. The scam usually starts with a phishing message, which may come through any application or communication channel. The aim is to obtain the victim’s personal information, which can then be used by the criminal to request the operator to transfer the subscription to another SIM card.
Once the criminal has control of the victim’s mobile subscription, any messages and calls to the subscription are forwarded to the criminal’s phone. This way, the criminal can accept two-factor authentication or change passwords, for example, as the confirmation messages and phone calls come directly to the criminal. In addition to gaining access to accounts, the criminal can take out instant loans or shop online while using the victim’s identity, which may cause significant financial damage to the victim.
The misuse of the eSIM is another separate problem. An online criminal can activate a victim’s mobile subscription in their own device by registering the subscription on an eSIM in a device controlled by the criminal. In order to activate an eSIM, the user must request a QR code in their email and read it using the device in which the subscription is to be activated. If the criminal knows the victim’s phone number and has access to their email or the required QR code, they can hijack the subscription and use it themselves.
The original article was published on 4 July 2023 in Finnish. (External link)