Mobile phones have transcended from just making calls to being used as a private vault. Nowadays mobile phones are used to store extremely sensitive data including authentication to corporate and personal emails and most especially banking credentials. A high proportion of bank customers now have mobile phone numbers linked with their bank accounts due to the availability of several alternate banking channels (eg USSD, Mobile Banking etc.). The risk is also heightened now that most mobile phones serve as a device for Multifactor Authentication to mostly banking transactions.
These mobile phones contain a small device called Subscriber Identity Module (SIM) which enables the transmitting and receiving of the signals to and from the network provider.
In recent times, the financial industry has experienced a surge in SIM Swap and SIM Cloning related fraud
SIM Swap VS SIM Cloning attacks.
SIM swap is achieved by convincing the mobile phone provider representative to switch an active SIM card to a new one. This process legally exists to assist mobile users with damaged or stolen SIMs. However, fraudster have capitalized on the ease of making SIM Swap request to transfer control of the victim’s mobile number in a bid to defraud. SIM swap has been the preferred SIM fraud attack due to its ease of execution with little or no technical approach.
SIM Cloning, on the other hand, is a far more technical approach to SIM fraud attacks as the victim might not even be aware of such attack. SIM cloning attack uses a software to outrightly duplicate the victim’s SIM. This method does not require calling any mobile phone provider representative, but however requires physical access to the original SIM.
In Nigeria, SIM Cloning is seldomly focused on as a type of SIM fraud and as such this article will attempt to demystify this particular type of SIM fraud.
In this article, I will be sharing my research work on SIM cloning while highlighting the dangers which has been prevalent and responsible for several fraudulent banking transactions.
I will also be giving tips on how to protect against these illegal practices.
A SIM card is simply a smart card, which has the following
- Microprocessor which is majorly used for cryptographic processing
- Read Only Memory (ROM) used to store the SIM program
- Random Access memory (RAM)
- Storage and file system to store sensitive system data on the SIM amongst others.
Sensitive files found in a SIM Card
As earlier said, a SIM card has a file system made of directories that store sensitive data. This data contains information about the secret keys (Cryptography) used by the phone to connect to the mobile network. These secret keys are critical and hence remains the data of choice for the malicious attacker. Let’s have a quick look at the sensitive files that can be found inside a SIM
· International Mobile Subscriber Identity (IMSI): This stores a unique and encoded 15-digit number. This data is used to identify the user on the mobile network. Let us use this fictitious IMSI number as an example IMSI: 621308081234567.
The IMSI is broken down into several digit groups which can be seen below:
o The first three digits correspond to the Mobile Country Code (MCC). This identifies the country of origin of a mobile network operator. Using the example, the MCC is 621 which corresponds to Mobile operators in Nigeria.https://en.wikipedia.org/wiki/Mobile_Network_Codes_in_ITU_region_6xx_(Africa)#Nigeria_-_NG
o The next two or three digits constitute the Mobile Network Code (MNC) which identifies the mobile network operator. Using the example, the MNC code is 30 which corresponds to MTN Nigeria.
o The last nine or ten digits comprise of the Mobile Subscriber Identification Number (MSIN). This number is used by the mobile phone operator to differentiate mobile phone subscribers. In the example the mobile phone subscribers’ number is 8081234567
· Mobile Subscriber Integrated Services Digital Network (MSISDN): This is the standard subscriber mobile number used to make or receive calls. An example is 2348081234567
· Individual subscriber’s authentication key (Ki): This file stores the cryptographic key used by the SIM for authentication.
· Authentication algorithm: This file stores the algorithm that uses the authentication key (Ki) to generate a cryptographically signed response.
How the SIM is registered on a network
Before a SIM can be operational, it must be connected to a mobile network provider which of course would authenticate the SIM card before connection.
Outlined below are the authentication steps
- On startup, the phone obtains the International Mobile Subscriber Identity (IMSI) from the SIM card and relays it to the mobile network.
- The network provider takes the IMSI and looks in its database for that IMSI’s known authentication key also called “Ki”.
- The network generates a random value say RAND, and signs it with the authentication key to create a new value say AUTH1. This is the response it would expect if the SIM card is legitimate.
Interested in information technology risk? check some helpful information here
- The phone receives the random value RAND from the network and forwards it to the SIM card, which signs it with its own authentication key to create a new value, AUTH2. This value is relayed back to the network.
- If the network’s value AUTH1 matches the SIM card’s Value AUTH2, then the SIM card is declared legitimate and access is granted by the network provider.
What can be done with a cloned SIM?
- Access to victim’s bank account. Many banks will send you a code to log into an account or password reset to a mobile phone via SMS. This means an attacker committing SIM fraud can request and receive the code with the aim of accessing your bank account.
- Access to the victim’s email via password reset request
- Outright Impersonation of a corporate entity where the fraudster gives payment instructions on behalf of the victim to fraudulent accounts.
Scenario 1
- A customer made a complaint to a bank when she discovered that her account was unfunded upon attempting to make a withdrawal. Upon investigation, it was discovered that the transactions were all made via USSD banking which was registered on the day of the theft. Incidentally, the customer neither requested for any USSD banking service nor used it before now. The Customer however informed that she had a problem with her mobile phone and sent it for repairs the day before the fraudulent transaction started. The repair man was arrested and upon interrogation he eventually admitted that he removed the customer’s SIM and gave it to Mr. X who paid him a fee to use the SIM and return latter. It was eventually discovered that Mr. X did the following:
- Cloned the SIM,
- Used the SIM to obtain the BVN number via the USSD short code
- Sent the BVN number to his accomplices in various banks who would look it up and provide the account number.
- He would then attempt to enroll the customer on USSD banking service, obtain the transaction pin and start performing transactions.
Scenario 2
- A customer of bank A, who is a farmer, complained that his mobile phone suddenly lost network. He went to the nearest customer care center of the mobile network provider only to be told that his SIM had been swapped. Confused, he asked for the culprit as he could not recall requesting for a SIM swap. He was told his SIM was currently been used in another state. Shocked, he requested the SIM be blocked and re-swapped. The request was obliged, and he was asked to wait for 24hrs for the SIM to be activated. Immediately the SIM was reactivated, the man started receiving unauthorized transaction alerts. By the time he got to the bank to request for his balance, he had lost almost N3million. It was discovered that the fraudster took advantage of the ignorance of his victim as he was a farmer who was not enlightened on the bank’s various alternate channels, and thus never enrolled for Internet banking service. It is pertinent to note that the farmer had earlier patronized a local charging booth to charge his mobile phone.
The Fraudster did the following:
- Gained access to his SIM and cloned it before he came back for his charged mobile phone.
- Enrolled for internet banking on his behalf.
- An authentication token was sent to the fraudsters mobile phone since the SIM mobile number registered with the bank had already been cloned.
- Fraudster made numerous transfers until line was retrieved by its rightful owner.
The network provider could not provide the culprit who perpetrated the unauthorized sim swap
How is a SIM Cloned
As said earlier, SIM cards contain two important data which are:
· International Mobile Subscriber Identity (IMSI)
· Authentication Key (Ki).
These data enable the network provider to identify the mobile number and authenticate the customer.
Since the operator authentication on the SIM is based on the (IMSI and KI), The main objective of the attacker is to extract these data from the original SIM then re-program into a new blank SIM card. This misleads the mobile operators into thinking that it is the original SIM.
I discovered in my research that not every SIM Card can be cloned and I will shed more light on this.
When a network operator buys blank SIM cards in bulk, the SIM card manufacturer gives the provider a transport key also called an issuer key. This key is needed to perform any operation on the cards which includes activating the cards.
The Network operators then formats the cards, creates the needed files, assigns the mobile number and PINs, then the SIM cards is ready for sale.
The SIM card’s issuer key which is a cryptographic key which is needed to access the SIM card and clone it. This key kept secret by the mobile network operator.
Unfortunately, the algorithm used to generate the issuer key has been eventually exposed.
SIM cards are manufactured based on three algorithms
- COMP128v1
- COMP128v2
- COMP128v3.
These algorithms are used to generate the transport key (issuer key).
Currently only SIM cards using the COMP128v1 algorithm can be cloned, since this is the only algorithm that has been compromised and exposed.
Sadly, most of the SIM cards issued by the mobile network providers in Nigeria use the compromised COMP128v1 algorithm on issued SIM card
Requirement for SIM Cloning
- Blank Programmable SIM Card. This can be easily purchased online for a very cheap fee
- A SIM Firmware Reader/Writer
- Special SIM probing/cloning applications
- USB SIM Card Reader Application
- Access to target victim’s SIM for about 15 to 20 minutes
Now as said earlier this should even not be possible by anyone other than the Network Provider if not for the compromised COMP128v1 algorithm that was exposed.
It should however, be noted that this technique of SIM cloning is also used legally by Forensic Investigators.
Prognosis
The following was observed on the execution of a successfully cloned SIM.
- When anyone calls the target victim, both mobile phones will ring, the same will happen in the case of SMS, however only one mobile phone can pick up the call at a time.
- If two calls are made at the same time, one will connect while the other will terminate.
- Both phones will get the same messages (text, voice) also, both will receive the same calls, but only one can be used at a time.
How to protect against Sim Cloning
As an individual
- Be careful where you keep your mobile phones. Nowadays, the incentive from a stolen phone is no longer derived from its sale but rather it’s content. Phone thieves have gradually found out that there’s more money to make from a sim than an actual phone. Protect your sim card.
- When taking your mobile phone for repairs, ensure you remove your sim as it takes just about 30 min to clone your sim card without your knowledge.
- Do not allow your SIM to be used in a phone you do not trust. Mobile applications now exist that can extract the data needed for SIM cloning.
- Have your SIM locked with a PIN. This will prevent access to the international mobile subscriber identity (IMSI) and Authentication key (Ki) which are vital for SIM cloning. This is a feature that already exists on all SIMs. For more details on locking a SIM, the respective mobile network provider should be contacted.
As a Financial Institution
- Massive sensitization should be done to educate customers on the existence of SIM cloning and the benefits of locking a SIM with a PIN.
Remember, that to clone a SIM card requires physical access to the SIM. Thus, the ultimate protection is to ensure your mobile phone or SIM card does not get in the hands of persons you do not trust.
Banner captured from Amazon store