Toronto businessman Randall Baran-Chong received a notification on his phone one night that his device was no longer in service. This was the initial indicator of an attack that began with a simple phone SIM port attack – used to take over someone’s phone account and then use the newly ported phone as a second form of authentication as part of an online credential compromise attack.
Baran-Chong had become the victim of an attack bent on accessing his email, bank accounts, credit cards, and anything else the cybercriminals responsible could find. And find they did… Baran-Chong had videos of himself engaged in sex acts with women on cloud storage – something that caused the scam to shift from a rather simple online identity theft to full-blown extortion, threatening to expose Baran-Chong if he didn’t pay up.
Attacks like this in Canada have led to calls for more strict porting laws to make it more difficult for cybercriminals to port a phone’s SIM to a criminal-controlled device. Currently, all that’s needed in some cases is little more than the phone number and associated account number.
The real issue here for organizations is that often times, a user’s mobile phone is the device used as part of a secondary authentication – whether via text, using an app, or via email, mobile devices are the medium by which multi-factor authentication is achieved. With control over this device, the possibilities of what a cybercriminal can do is somewhat unlimited.
Organization’s wanting to ensure the security of their accounts – and the systems, applications, and data those accounts can access – need to ensure their mobile carriers have strict policies in place to make porting difficult for the would-be scammer.
At the same time, what also puts the organization at risk is users who are like Baran-Chong – those who maintain compromising photos, videos, and content that can be used to extort money, passwords, and access. Cybercriminals today are keenly aware of the business opportunities that an extortion affords. Organizations should educate users via Security Awareness Training on secure online personal practices, as well as good security hygiene – both at home and work.