As a successful, trusted commercial mortgage originator, you take security seriously. You’re careful and authenticate your communications — maybe you even encrypt them. You enable multifactor authentication so that users not only have to enter an ID and password to access their accounts but also receive a unique, one-time text message to a predefined phone number with a code they must input.
Despite this, you or your client may still be victimized by hackers who have taken over a cell phone through subscriber identity module (SIM) swapping attacks. These attacks can swap a person’s phone number to a new device, giving them a “key” to unlock accounts — even those that are protected by multifactor authentication.
Why it matters
During a SIM swap attack, all data, account access and authentication mechanisms on the phone become available to (and essentially owned by) hackers. These attacks are usually preceded by a phishing scam to gain access to a victim’s account data, or they can occur as a result of compromised online data that’s been sold or published for hackers to find.
One of the first things hackers do when they SIM swap a phone is reset passwords to the victim’s email accounts, bank accounts, cryptocurrency accounts, social media accounts and other platforms. Then they quickly reset the default email addresses to an email of their own. Since all of these accounts use text messages to “authenticate” the password reset, the hacker can take over the victim’s life by taking over their phone. Meanwhile, the hacker has access to all of the victim’s accounts. Worse, the victim has lost access, is locked out and has almost no ability to recover.
The problem of SIM swapping is growing. Recently, the FBI issued an advisory indicating that the Internet Crime Complaint Center (IC3), its conduit for cyber complaints, received 320 reports of SIM swapping with about $12 million in losses from 2018 through 2020. In 2021 alone, IC3 received 1,611 SIM swapping complaints with losses adding up to more than $68 million.
How it works
SIM swappers target vulnerabilities in the way we set up and establish cell phone accounts. Either through service providers (T-Mobile, Verizon, AT&T, etc.) or third parties (Apple, Best Buy and other affiliates), SIM swappers trick (or bribe) these companies to link the hacker’s phone to the target’s phone number. This allows the hacker to send and receive phone calls and text messages as if they were the actual subscriber, and it also gives them access to any user IDs, passwords and other account access codes stored on the SIM chip.
Hackers have increasingly used various social media and other tools to target cryptocurrency investors and traders, as well as those who have high net worth. They also target the residential and commercial real estate markets.
The Federal Trade Commission has issued advisories to consumers about ways to prevent and detect SIM swaps. Banks, other lenders and crypto exchanges also have become targets of victimization. When accessing bank, lender or crypto accounts, the hackers can issue payment or payout instructions to transfer funds. Even if an institution has implemented multifactor authentication, the hacker can gain access and inject themselves into what appears to be a legitimate transaction.
Current federal law requires mobile carriers to allow service subscribers to port phone numbers to a new SIM card, and carriers may soon be required to quickly respond to these requests. But because of the rise in SIM swapping scams, the Federal Communications Commission has proposed requiring carriers to add additional security features, such as the use of preestablished passwords, before porting numbers.
Liability and protection
While multifactor authentication is recommended for federally supervised financial institutions and their subsidiaries under federal guidelines, the experience with SIM swapping demonstrates that a simple text message to the subscriber may not be “commercially reasonable.” For entities that rely on these financial institutions, such as mortgage brokerages, closing attorneys, etc., the law is not as clear.
These institutions can establish even stronger authentications, such as non-text multifactor authentication. Mortgage lending applications, transactions and accounts can be designed and configured to authenticate an end user in ways that don’t rely on text messages. Examples include an authenticator app, a hardware token (which generates random codes), or a fingerprint or facial biometric.
Companies also can institute a voice-based authentication in which they call the client and obtain authentication with a passphrase or code word. (Remember, hackers may have taken over the client’s phone.)
Insurance and education
Anyone who participates in real estate transactions should examine their insurance policies to make sure they have coverage for fraud and theft committed through the use of stolen credentials or identities. Be sure there are no cyber exclusions and that these policies cover this kind of fraud.
Most importantly, brokers should educate borrowers and referral partners about the problem. They also should provide clients with helpful tips to prevent or mitigate their exposure to SIM swapping exploits, such as keeping their personal information private, practicing good digital hygiene and avoiding social engineering scams.
One thing is for sure: SIM swap crimes are not going away anytime soon. New authentication methods will be necessary for the foreseeable future. ●