In cybersecurity, certain vulnerabilities arise not as a direct consequence of code porosity but due to systems that enable such walls to be manoeuvred. These vulnerabilities, called “architectural flaws,” form a large portion of cybersecurity threats in today’s world.
Imagine you spent a hefty sum of money purchasing a high-tech security door, bulletproof and lockpicking proof, but your house still got robbed. While astonished, you discovered the burglar had taken the keys from under the doormat where you left it. Now, what good did the new security door do?
According to G. McGraw, architectural flaws form as much as 50% of total security vulnerabilities present in internet systems. More recent studies show that architectural flaws have become more prevalent.
A good example of such a vulnerability was how any android phone could be reset without knowing the password or implementing hacking systems. The vulnerability existed due to access provided by the google keyboard to the OS, which enabled a person to access the phone setting without logging into the phone.
However, a particular architectural flaw emerges from the dependence on the SIM (Subscriber Identity Module) Card as the standard Identity verification means. The SIM has not changed much since the mini SIM card was developed in 1996; it has become the de-facto internet communication device, and over 7 billion SIMS are in use currently, according to Wikipedia. The card got smaller but maintained identical operations over the years.
Vulnerabilities Associated with Sim Card
The SIM card is the destination of nearly all reset and verification codes for emails, bank accounts, social media profiles, etc. What could happen if it was compromised or stolen?
Vulnerabilities Are More Prevalent in Developing Countries
SIM card attack scams have a higher impact in developing nations in Africa. According to the pcl. cybersecurity report, there were an astounding 32.8 million cyberattacks last year, with a 16% rise in Kenya.
In Nigeria, for example, the SIM Cards’ vulnerability has been made astronomical by the introduction of numerous identification numbers that could give details about any linked SIM. Identity keys like Bank Verification Number (BVN) and National Identification Number (NIN), and SIM Card Registration Data do not just increase security; they also increase the risks of a data breach.
If fraudsters obtain a SIM card used by a bank customer to receive alerts, the SIM can be used to carry out transactions such as withdrawal, airtime recharge, and loans.
According to Adeyemi et al., the fraudsters will first dial the code *xxx*xxx# to determine which bank the owner utilizes. They will also use the USSD (Unstructured Supplementary Service Data) code to discover the account balance. They will reset the PIN in order to gain access to the account, which will prompt you for your account number and birth date. Account numbers can be found via phone contacts, messages, or bank employees. Other information can be accessed by entering the BVN code *xxx*x#.
The fraudsters will then open an account with the bank of their intended victim and perform transactions. They can get a loan if the account lacks sufficient funds in it. They will open a “no-trace” account and transfer the funds there prior to conducting any transactions (Dan,2022). With someone’s BVN, the “no-trace” account is made. The transferred funds can be used to buy products online, deposit money into someone else’s account, or persuade an individual to assist with a cash withdrawal from an ATM or POS, according to a recently published paper by Ekeh G.E et al.
The problem with these kinds of identity numbers is that it comes with some perks that may not have been directly foreseen in their conception. Identification numbers within Nigeria should have their goals and functions so meticulously crafted that it becomes almost impossible to have unforeseen side effects.
In July 2013, Karsten Nohl, a security researcher from SRLabs, described vulnerabilities in some SIM cards that supported DES, which, despite its age, is still used by some operators. The attack could lead to the phone being remotely cloned or letting someone steal payment credentials from the SIM. Further details of the research were provided at BlackHat on 31 July 2013. It involved hackers copying the legitimate data of an active SIM into an empty SIM.
If the clone is successful, the new(clone) SIM will become active immediately after the original SIM goes off or restarts, and the hacker will have access to the victim’s calls and SMS messages.
According to Tru.id, SIM swap criminals stole more than $100million in the USA last year. Eight people from the UK and several from other European countries have been arrested in connection with a crime ring that targeted thousands of US victims in 2020.
SIM swapping, according to Norton, happens when scammers contact your mobile phone’s carrier and trick them into activating a SIM card that the fraudsters have. Once this occurs, the scammers have control over your phone number. Anyone calling or texting this number will contact the scammers’ device, not your smartphone.
It means scammers could potentially enter your username and password when logging onto your bank’s website, and the OTP will now be sent to the scammer. SIM swap has also recently been carried out on famous figures like Jack Dorsey.
Protecting Your Sim Card
The uncanny symbiosis of thieves and scammers with a common aim of stealing your money needs to be averted. So here are the remedies against having your account wiped using SIM access.
- Implement a SIM Card PIN: this is the most important security step. Make sure these scammers cannot access your SIM. When your phone is locked, and you have a SIM PIN, they have no way of accessing your SIM.
- Ensure Your Phone Has a Security Lock: This is an easy first step that is shockingly overlooked by many mobile users, especially the older generation, for ease. But leaving a phone without passwords, patterns, or PINs in the hands of malicious users is a calamity waiting to happen.
- Implement extra security on online accounts: Add a security question to your online account so that the passwords cannot be reset only by a verification code to your phone
- Do not use weak passwords: do not use easy-to-guess passwords, or date of birth as transfer pin (as the highlighted individual did)
- Implement transfer limits on your bank accounts. This is another crucial step. If you do not frequently perform huge transactions, reduce your daily limit to an amount that will not significantly reduce your account balance
- Hide notifications: On your android and IOS phones, ensure the content of your messages cannot be seen without unlocking your phone. This will protect sensitive messages such as OTP and Reset Pins from malicious individuals who also could be friends or family members with an intent to defraud you.
- Check apps’ permission to read permissions: Check your phone settings and remove applications access to read your messages, as spy apps use this android feature to upload your SMS to remote servers for hackers to access.
- In the case of SIM card loss, contact your network provider immediately for the SIM card to be deactivated instantly. This can be done with any other phone with the same Network Provider.
Individuals and companies of all shapes and sizes are grappling with increased attempts at social engineering and phishing, tactics that may seem unsophisticated but can lead to significant incidents. Education is the key to helping people and organizations better identify these threats and keep themselves protected. Employees of all levels need to learn the importance of protecting themselves and companies from “human exploits” and cyberattacks so that malicious individuals do not take advantage of weak links to perform their sinister enterprise. At Phillips consulting, we recommend that the fundamentals of cybersecurity awareness should be conducted in concordance with the unique architecture of the local internet system.
Cybersecurity and Training