How the Phone Porting Scam or Fraud Works?
The scam begins with a fraudster gathering details about the victim by using phishing emails, by buying information from organized crime groups, via social engineering or by obtaining the information following data leaks. Once the fraudster has obtained the necessary details they will then contact the victim’s mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim’s phone number to the fraudster’s SIM, for example, by impersonating the victim and claiming they have lost their phone. They then ask for the number to be activated on a new SIM card.
After that the victim’s phone loses its connection to the network and the fraudster receives all the SMSs and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls made to the victim; all the services that rely on an SMS or telephone call authentication can then be used.
The processes used by mobile operators are weak and leave customers open to SIM swap attacks. For example, in some markets in order to validate your identity the operator may ask for some basic information such as full name, date of birth, the amount of the last top-up voucher, the last five numbers called, etc. Fraudsters can find some of this information on social media or by using apps such as TrueCaller to get the caller name based on the number. With a bit of social engineering they also try to guess the voucher amount based on what’s more popular in the local market. And what about the last five calls? One technique used by the fraudsters is to plant a few ‘missed calls’ or to send an SMS to the victim’s number as bait so that they call back.
If someone steals your phone number, you’ll face a lot of problems, especially because most of our modern two-factor authentication systems are based on SMSs that can be intercepted using this technique. Criminals can hijack your accounts one by one by having a password reset sent to your phone. They can trick automated systems – like your bank – into thinking they’re you when they call customer service. And worse, they can use your hijacked number to break into your work email and documents. And these attacks are possible because our financial life revolves around mobile apps that we use to send money, pay bills, etc.