SIM SWAP —

Police in Spain dismantle a SIM-swapping ring that drained bank accounts

Banks still use SMS for 2FA, much to the satisfaction of crooks.

Police in Spain dismantle a SIM-swapping ring that drained bank accounts
Getty Images

Authorities in Spain said they broke up a SIM-swapping crime ring that used identity theft and falsified documents and texts to target victims’ bank accounts.

In a press release, Spain’s National Police agency said it arrested eight individuals in connection with the operation, which began no later than last March. The suspects, the authorities said, posed as bank employees and used fake messages to obtain personal information and bank details of targeted individuals.

“With this, they deceived the employees of phone stores to obtain duplicate SIM cards and, in this way, have access to the bank's security confirmation messages,” the release stated. “In this way, they could operate in online banking and access bank accounts to empty them after receiving security confirmation messages from the banks.”

SIM cards are the fingernail-sized chips that are inserted into a specific piece of hardware—usually a phone—so mobile carriers can link it to a mobile account. SIM swapping occurs when a criminal tricks an employee of a carrier into replacing the legitimate card belonging to a targeted account holder with a new one that is assigned to the scammer.

SIM swapping is typically used to perform email account resets, which in turn allow the scammer to reset passwords for bank accounts and other online accounts. Scammers also use SIM swapping to complete two-factor authentication verifications for services that choose to use SMS text messaging rather than more secure forms of 2FA.

National Police agents began investigating the ring last March after receiving two complaints of fraudulent bank transactions in different geographical locations in the country. The two injured parties said their accounts had been accessed without their consent. Investigators eventually zeroed in on activity in Barcelona, where they said the criminals were laundering money stolen in the illegal bank transfers.

When the suspects obtained the victims’ SIMs, “the victims lost the coverage signal on their phones, since when activating the duplicate, it was immediately deactivated, leaving the line in the hands of those arrested,” the authorities stated. “The fraudsters [then] received the messages from the bank with the necessary keys to authorize transactions. For this, they used online banks from various European countries, and even on behalf of victims to make it difficult to trace and locate the money.”

SIM swapping has evolved into an increasingly prevalent form of crime. Over the years, it has led to a rash of thefts that has drained millions of dollars from cryptocurrency wallets and bank accounts. Many mobile carriers have few effective SIM-swapping safeguards in place, and even when they do—T-Mobile has a solution, for instance—attackers have been known to exploit loopholes.

An unexpected loss of network signal on a single smartphone (but not on others using the same carrier) is a possible sign of SIM swapping. Often, the victim has little time to effectively respond before accounts are reset and funds are drained.

Earlier this week, the FBI said that from January 2018 to December 2020, it received 320 complaints related to SIM-swapping incidents that resulted in adjusted losses of about $12 million. Last year, the FBI received 1,611 SIM-swapping complaints, with adjusted losses of more than $68 million.

Channel Ars Technica