PHY-6 · Mobile Threat Catalogue

Mobile Threat Catalogue

Physically swapping a user’s SIM with a compromised SIM to run malicious javacard applets

Contribute

Threat Category: Physical Access

ID: PHY-6

Threat Description:

Threat Origin

A Biometrics-Based Solution to Combat SIM Swap Fraud 1

Exploit Examples

Sim-Swap Fraud Claims Another Mobile Banking Victim 2

CVE Examples

Not Applicable

Possible Countermeasures

Mobile Device User

To increase the complexity of this attack, use devices that implement an integrated SIM or eSIM, which cannot be readily replaced with a malicious component.

To reduce opportunity for this attack, when leaving the device directly unattended, use strong physical security controls (e.g., lock it into a secure container).

Enterprise

To increase the complexity of this attack, use devices that implement an integrated SIM or eSIM, which cannot be readily replaced with a malicious component.

References

  1. L. Jordaan and B. von Solms, “A Biometrics-Based Solution to Combat SIM Swap Fraud”, in Open Research Problems in Network Security, pp. 70-87, 2011 

  2. M. Brignall, “Sim-Swap Fraud Claims Another Mobile Banking Victim”, The Guardian, 16 Apr. 2016; www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters [accessed 8/25/2016]