Forem: Alvaro Navarro

What Is a SIM Swap Attack, and How Can You Prevent It?

Alvaro Navarro — Thu, 17 Oct 2024 15:37:30 +0000

A SIM swap attack is an example of fraud in which someone tricks a mobile phone carrier into transferring or associating the victim’s telephone number with a SIM card used by the attacker. When the criminal controls the victim’s phone number, they can easily intercept SMS and voice messages.

In this article, we’ll learn how SIM swap attacks can severely compromise sensitive accounts and information. Knowing the risks and taking preventative measures may help reduce their impact.

How SIM Swap Works

The attack begins by gathering personal information about the targeted person, such as names, addresses, phone numbers, account information, and sometimes even passport or ID details. This data can be obtained through different means, such as phishing attacks, social engineering, or directly from the information the victim shares on social media.

After obtaining the personal information, the attacker contacts the mobile network provider to convince them to transfer the victim’s number to a new SIM card.

Once the network provider transfers the phone number to a new SIM card, the victim’s phone loses its services while giving attackers all necessary controls. The attackers acquire the ability to reset passwords of online accounts that depend on such phone number for account recovery or two-factor authentication.

Consequences

If the attacker gains control over your phone number and, by extension, the accounts and services attached to that number, the consequences can be extremely severe.

Bank account access. An attacker who gains access to your bank account through password resets or one-time passwords sent via SMS might wire money out of your account, make unauthorized payments on your behalf, or sometimes even apply for loans you don’t need.
Identity theft. The attacker may access personal information stored in your email, social media, or other online accounts, which could be used for further identity theft or sold on the deep web. You could face legal issues if the attacker uses your identity for illegal activities.
Account takeover. By changing passwords, the attacker can lock you out of your email, social media, and other important accounts. The loss could be permanent if the attacker deletes data, such as emails, contacts, or social media posts, especially if you don't have backups.
An attacker could invade your privacy by reading your text messages, listening to your voicemails, and even pretending to be you in calls or messages.

Dealing with a SIM swap attack can be a real hassle and take up a lot of time. You'll need to regain access to your accounts, keep an eye out for identity theft, and possibly recover any lost money or data. The effects aren't just about the financial or privacy issues; it can also take a toll on your emotional health and personal relationships.

How to Identify a SIM Swap Attack

Reducing the impact of this kind of attack can be obtained through early detection. If you see any of these signs, it could mean that your phone or number was involved in a SIM swap attack:

The most common sign of a SIM swap attack is the loss of cellular service. Your phone may no longer make calls, send texts, or access data as it used to. You might see messages like “no sim card” or “emergency calls only.”
You notice unusual activity in your account, such as changing passwords, adding new devices, or changing security settings. Another red flag could be unfamiliar transactions or withdrawals from your bank account.
Unable to access your accounts, even if you use the correct credentials, could mean an attacker has already changed your password.

What to Do if You're a Victim of a SIM Swap Attack

If you notice any of the signs described above, it's essential to act quickly:

The first thing you should do is contact your mobile network provider immediately. Inform them of the situation and ask them to restore your number to your original SIM card. If possible, ask them to secure your account with additional measures, like a PIN or password.
It is very important to report the incident. Notify your bank or credit card company, and consider reporting the incident to local law enforcement and a fraud reporting agency. This will help to avoid potential legal consequences if attackers use your identity for illegal activities.
Update the passwords for all important accounts, especially those linked to your phone number. Review the security settings of your accounts, remove any unfamiliar devices, and check for unauthorized changes.
Monitor financial accounts. Check your bank accounts and credit card statements for suspicious activity.

How to Prevent a SIM Swap Attack

We can take several measures to prevent a SIM swap attack:

Contact your mobile carrier to request to set up a unique PIN or password that must be provided before any changes can be made to your account, including SIM swaps.
Always use strong passwords: Avoid using easily guessable passwords. Using a password manager is always a good idea, so you don’t have to remember passwords anymore.
Enable two-factor authentication (2FA) methods that don't rely only on SMS, such as email, authentication apps or hardware tokens.
Change your online behavior. Everything you post or share on the Internet could be used to launch an attack. Avoid disclosing personal information such as birth date, address or phone number.
Be careful with phishing scam messages or calls requesting your personal information. Always verify the source before providing any details.
Secure your mobile device. Unlock your phone using a PIN, password, fingerprint, or facial recognition. This helps prevent unauthorized access if your phone is lost or stolen.

These steps can significantly reduce your chances of falling victim to a SIM swap attack. While nothing is entirely foolproof, using strong authentication, keeping a close eye on your accounts, and following secure practices can make it much more challenging for attackers.

How Can Companies Protect Their Users?

If your company relies on users’ phone numbers for activities such as two-factor authentication (2FA), password resets, or login processes, you can improve security and reduce fraud using APIs like the Vonage SIM Swap API.

The SIM Swap API helps to mitigate account takeover risks by checking if the SIM card linked with a phone number has recently changed. This is particularly useful for identifying suspicious activity before sending an SMS during the two-factor authentication (2FA) process. If a recent SIM swap is detected, you can, for example, switch to an alternative verification method, such as email.

Get in Touch

Is your company using the phone number for any account activities? How do you ensure sending them an SMS when resetting passwords is safe? We’d love to hear your feedback! Join us on the Vonage Community Slack or message us on X, and we will get back to you.

Thanks for reading!

Getting Started with SIM Swap API

Alvaro Navarro — Fri, 09 Aug 2024 14:26:16 +0000

Introduction

This blog post will help you understand the SIM Swap API and guide you through making your first API call. Please note that this API is currently in beta, so some features may change as we continue to improve it.

What is SIM Swap API?

The SIM Swap API allows developers to determine if the SIM card linked to the phone number has recently changed. The API includes two endpoints to answer the following questions:

Has a SIM swap occurred during the last X hours?
When did the last SIM swap happen?

SIM Swap API belongs to the new Vonage Network APIs, a new collection of APIs based on the CAMARA standard that exposes developers to the network capabilities of mobile carriers (e.g., Telefonica, Deutsche Telekom, or Vodafone). These mobile carriers are also known as Communication Service Providers (CSPs).

Why SIM Swap API?

SIM swap fraud is considered one of the biggest threats because it grants attackers control over a victim's mobile phone number. Here are some of the most common risks:

Identity theft. Attackers can use SIM swapping to impersonate the victim's identity as they gain control over the victim’s phone number.
Account takeover. Many online accounts, including email, social media, and financial accounts, use phone numbers for two-factor authentication (2FA) or account recovery. By swapping the SIM card, attackers can intercept authentication codes sent via SMS and gain unauthorized access to the victim's accounts.
Financial fraud. Once attackers access the victim's accounts, they can conduct various forms of financial fraud, such as transferring funds, making unauthorized purchases, or taking out loans in the victim's name.
Privacy violation. Attackers may access personal communications, contacts, and other sensitive information stored on the victim's devices or accounts.

One of the primary purposes of the SIM Swap API is to provide an assessment of fraud risk by identifying SIM swap events. Integrating the SIM Swap API can complement various scenarios, including:

Adding a risk factor/fraud score to an individual
Strengthening traditional 2FA method based on recent events reported by SIM Swap API
Monitoring fraudulent activity on customers' phone numbers
Regulatory compliance can require checks against SIM Swap

Prerequisites

To follow this tutorial and make your first API call, you’ll need the following:

A Vonage account. You can create a new account if you don’t have one.
To access the network APIs, you need a business and application profile approved by the CSPs. The Introduction to the Network Registry post will guide you through the process.
We will use cURL to make API calls. You can install it from cURL download page using your favorite package manager.

Create New Application

Let’s start by creating a new application with the capabilities of the Network APIs. The Vonage application contains the credentials needed to make API calls. Once your submission is approved by at least one of its CSPs, you can link it to one or more Vonage applications to start using the Network APIs.

Warning: Remember that application credentials are secret and for personal use only. Do not share them with anyone.

Go to "Applications" under the "Build & Manage" menu and click on the "Create a new application" button. Follow these steps:

Give a name to your application.
Click on "Generate public and private key," as you’ll need this during the authentication process. A new public key will appear in the text box. Your browser will automatically download the private key.
Under the capabilities section, enable "Network APIs" and select the business profile and the application profile you have previously created. Since SIM Swap API does not require Redirect UI, you can leave this field blank.

Once finished, click "Generate new application".

Make your First API Call

Authentication

Vonage API calls require a valid access token, a credential used to authenticate and authorize access to the APIs. To create an access token, you'll first need to authenticate yourself using a JWT, a compact and self-contained JSON token.

To generate a JWT, you can use our online generator:

Copy and paste the private key that was automatically downloaded to your browser.
Copy and paste the application ID, which can be found under the application you created in the previous step.
Set a valid period of the JWT. For this example, we’ll establish a valid time of 1 hour.
Leave ACL and the rest of the checkboxes empty.

The JWT will appear on the right side of the screen. Copy the JWT token and send a POST request with the following headers and body:
curl --url https://api-eu.vonage.com/oauth2/bc-authorize \ --header 'Authorization: Bearer '"$JWT"'' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'login_hint='"$MSISDN"'' \ —-data-urlencode 'scope='"$SCOPE"''

Where:

$JWT is the recently created JWT.
$MSISDN is the phone number you wish to check (e.g. +34677123456)
$SCOPE corresponds to the purpose for which you are calling the API. Since we want to check if a SIM card was exchanged, let’s set this to this string value: "dpv:FraudPreventionAndDetection#check-sim-swap"

If everything goes well, the authorization server will return a response similar to this:
{ "auth_req_id": "arid/baad1320-93b9-4e28-a449-123445678", "expires_in": 120, "interval": 2 }

The response includes the expiration time (in hours) and the auth_req_id, which we’ll use in the following API call to generate the access token:
curl --url https://api-eu.vonage.com/oauth2/token \ --header 'Authorization: Bearer '"$JWT_AP"'' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'auth_req_id='"$AUTH_REQ_ID"'' \ --data-urlencode 'grant_type=urn:openid:params:grant-type:ciba'

The OAuth2 server should return a response like this, containing the access token:
{ "access_token": "hbGciOiJSUzI1NiJ9.eyJpYXQiOjE3MTM3OTI2NzAsImV4cCI6MTc", "token_type": "Bearer", "expires_in": 3600, }

SIM Swap API Call

We are ready to perform our API call to SIM Swap API with the access token. According to the API reference, the API contains two different endpoints:

Check whether a SIM card was exchanged.
Retrieve the date when the last swap was performed.

Let’s start by checking if our SIM card was swapped. Send a POST request with the following fields in the body in JSON format:

phoneNumber: this is the phone number we want to check. It should match the phone number used during the authentication step.
maxAge: corresponds with the maximum number of days we want to check if the SIM was swapped.

curl --url https://api-eu.vonage.com/camara/sim-swap/v040/check \ --header 'Authorization: Bearer '"$TOKEN"'' \ --header 'Content-Type: application/json' \ --data '{"phoneNumber": "'"$MSISDN"'", "maxAge": "72"}'

The endpoint will return a boolean indicating whether a swap was performed on the given phone number:

{ "swapped": true }

Given that the endpoint has returned true, let’s find out when the swap was performed. To do so, we need to retrieve a new token as the scope of this second call -retrieve- is different from the previous one -check-:

curl --url https://api-eu.vonage.com/oauth2/bc-authorize \ --header 'Authorization: Bearer '"$JWT"'' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'login_hint='"$MSISDN"'' \ —-data-urlencode 'scope='"$SCOPE"''

Where $SCOPE should be pointing to:
"dpv:FraudPreventionAndDetection#retrieve-sim-swap-date"

With the new access token, we are ready to make the API call to the retrieve-date endpoint:
curl --url https://api-eu.vonage.com/camara/sim-swap/v040/retrieve-date \ --header 'Authorization: Bearer '"$TOKEN"'' \ --header 'Content-Type: application/json' \ --data '{"phoneNumber": "'"$MSISDN"'"}'

Finally, the endpoint will return a timestamp containing the exact moment when the SIM card was swapped:
{"latestSimChange":"2024-02-24T01:43:31Z"}

Conclusion

SIM Swap API allows developers to determine if the SIM card linked to the phone number has recently changed, offering an additional layer of security in environments when having an uncompromised phone number is crucial: recovering your account, confirming bank transactions, or accessing your private data.

If you have further questions, contact Vonage Community Slack or message us on X.

Read further

You can also learn more about the SIM Swap API in our Developer Documentation.

Introduction to the CAMARA Project

Alvaro Navarro — Mon, 10 Jun 2024 14:16:03 +0000

In our previous article Announcing Vonage Network APIs, we introduced the idea of the new APIs have been built following the CAMARA standard. In this article, we'll delve deeper into the CAMARA project to understand its implications and what it means for the telecom industry.

What is CAMARA?

Imagine this: the giants of telecommunications and technology, assembling like The Avengers, to establish a new standard aimed at harmonizing and exposing new network capabilities to create a seamless user experience. Say no more. Welcome to CAMARA!

CAMARA is an open-source project within the Linux Foundation that hosts the API standards and develops and tests the APIs. The project collaborates closely with the GSMA Operator Platform Group to align API requirements.

The name CAMARA originates from the Greek word for "arched roof," symbolizing the collaboration or alliance of multiple entities under one vision.

How Does it Work?

The members (participants, coordinators, contributors, etc.) of the CAMARA project are organized into subprojects and working groups. Although it may sound similar, there are some differences.

Subprojects

A subproject is where topics related to each API are discussed, including how to document and describe the API or develop and test it. Some examples of subprojects include SIM Swap, Device status, or Number Verification.

Members of each subproject meet virtually from time to time and organize their work around a GitHub repository and a mailing list. All repositories contain the same structure, making it easy to find information:

The documentation/MeetingMinutes folder stores all minutes from previous meetings, during which decisions about the API's behavior are made.
The code/API_definitions contains the OpenAPI specification of the API in YAML format.

Working groups

The working groups typically address common topics across all subprojects. Some examples of working groups are the API Backlog, which manages the lifecycle of the API proposals, the Marketing group, responsible for promoting the APIs, or the Commonalities group, where common topics relevant to all APIs are discussed (e.g. authorization, documentation, or guidelines)

Just like the subprojects, members of the working groups use a GitHub repository and a mailing list to coordinate their activities.

If you're curious about the project's structure and the roles of its participants, check out the Project Structure and Roles documentation page.

API Lifecycle

One of the most interesting activities of the project is to maintain the lifecycle of the APIs.

Everything starts with the API onboarding, where companies can submit a new API proposal outlining a high description of the API (what it does with some examples), along with its technical and commercial viability.

The API Backlog working group will evaluate the proposal and, if they approve it, they'll endorse the proposal to be sent to the steering committee for final approval. If all goes well, the API proposal will be transformed into an actual subproject, which will begin receiving contributions and ideas using the mechanisms described above.

Once the API specification is stable enough, the implementation will be deployed and tested in one or more operator networks. The deployment can be used in production environments if the tests prove successful.

Conclusion

The CAMARA project sets an important milestone in the telco industry in terms of coordination and cooperation. The open structure of the project facilitates tracking and understanding some decisions taken behind each API.

The resources and documentation already generated by the project members are extensive. Be sure to explore their GitHub repositories and Wiki.

Interested in seeing how the CAMARA-based APIs work in real environments? Be sure to check out the Vonage SIM Swap and Number Verification APIs.

If you have any questions or comments, please let us know in our Community Slack Channel and follow us on X.

Tips for speaking to college students about DevRel

Alvaro Navarro — Thu, 23 Jan 2020 14:17:52 +0000

I was invited to deliver a 30 minutes talk to last-year-students at a University on Wednesday this week. The talk was held on "Career Opportunities Day" so, considering the amount of consulting firms present at the event, I decided to talk about something totally different and new for most students: DevRel as professional career.

Around 25 students showed up to attend the talk. Unfortunately my talk was scheduled right before the end of the agenda so many people had left already.

Tip #1: talking about "exotic" topics at these kinds of events can be challenging, so try to schedule your talk early in the morning when your audience is fresh.

As you can imagine, I started the presentation with the obvious question: "Does anyone know what is DevRel about?". Nobody answered but that was kind of expected, right? :-)

The content of the talk pretty much covered the usual DevRel 101 stuff: what DevRel is and is not, how we help developers to succeed, the beauty of working with communities or why DevRel is important for companies. I gave an example of “A Day in the Life of a Developer Advocate at a Hackathon representing Amadeus for Developers", which they liked very much.

Tip #2: Next time I deliver this presentation to a similar audience, I will base the whole presentation on examples and personal stories, as they seem to work better.

Okay, time for some metrics and personal observations:

All of them were surprised to see a professional career option related to software development that didn't imply a full-time coding position.
Only 2 students raised their hands to the question "Has anyone ever contributed to an Open Source project?"
Almost everyone raised their hands to the question "Do you have a public code repository (GitHub, GitLab...)?"
No one had participated in a Hackathon before.
They loved the idea of traveling to attend events.
I saw some "No thanks" faces when I talked about public speaking skills.
I realized that 20% of the students were taking notes. The other 80% just listened.

Tip #3: There is an interesting opportunity in proposing internal Hackathons at universities.

As usual, I have the feeling that I forgot many ideas and examples, but all in all, I'm happy with the results.

The slides I used as reference during the talk can be found on my speakerdeck.

Looking forward to the next talk!