SIM-Swapping Attacks to Access Bank Accounts

February 15, 2022 · u145 · 2 min read

In a press release, Spanish authorities announced the arrest of a criminal group of 8 individuals who carried out SIM-Swapping attacks to access the bank accounts of unsuspecting victims.

SIM-Swapping is an attack technique that enables criminals to seize control of a victim’s phone number. The captured number is then used to intercept SMS-based 2FA codes (T1111 — Two-Factor Authentication Interception), granting access to online banking portals and any service relying on SMS authentication.

Attack Overview

SIM-Swapping has evolved steadily over the years, with documented losses affecting both bank accounts and cryptocurrency wallets.
According to the FBI, from 2018-01 to 2020-12, 320 complaints related to this attack type were filed, with estimated losses of approximately 12 million USD. In 2021 alone, complaints rose to 1 611, with losses exceeding 68 million USD.

The Spain Case

🚩8 detenidos por defraudar a personas de toda #España mediante el #SimSwapping

Obtenían información de sus víctimas mediante mensajes maliciosos y engañaban a empleados de tiendas de telefonía para duplicar las tarjetas SIM y así vaciar sus cuentas bancarias#SomosTuPolicía pic.twitter.com/tKfZfOFckI
— Policía Nacional (@policia) February 10, 2022

The press release states:

“They deceived mobile phone store employees to obtain SIM card duplicates and, in this way, gained access to bank security confirmation messages… They were then able to operate the victims’ online banking and access accounts to drain them after receiving security confirmation messages from the banks.“

Technical Detail

The criminals socially engineered employees of the victims’ mobile carriers into porting the legitimate SIM to a new SIM card assigned to the fraudster (T1078 — Valid Accounts, T1199 — Trusted Relationship abuse at the carrier level). With control of the phone number, the group executed email account resets, which in turn allowed password resets on banking and other online accounts. SMS-based 2FA confirmations were intercepted to authorise transactions.

Authorities noted: “Victims lost network signal on their phones because, upon activating the duplicate SIM, the original was immediately deactivated — leaving the line in the hands of the suspects… The fraudsters received the bank messages with the codes required to authorise transactions, using online banking services from multiple European countries.“

An unexpected loss of cellular signal on a single device — while other devices on the same carrier remain unaffected — is a primary indicator of an active SIM-Swap. The response window is narrow: accounts are typically reset and funds drained before the victim can contact their carrier.

Phishing-resistant MFA methods — authenticator apps and hardware security keys (FIDO2) — eliminate SMS interception as an attack surface and are the recommended mitigations against this class of account-takeover.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Attack Overview

The Spain Case

Technical Detail

Cookie & Privacy