Threat Category: Physical Access
ID: PHY-6
Threat Description: Physically swapping a user’s SIM with a compromised SIM could an allow an adversary to run malicious javacard applets.
Threat Origin
A Biometrics-Based Solution to Combat SIM Swap Fraud 1
Exploit Examples
Sim-Swap Fraud Claims Another Mobile Banking Victim 2
CVE Examples
Not Applicable
Possible Countermeasures
To increase the complexity of this attack, use devices that implement an integrated SIM or eSIM, which cannot be readily replaced with a malicious component.
To reduce opportunity for this attack, when leaving the device directly unattended, use strong physical security controls (e.g., lock it into a secure container).
EnterpriseTo increase the complexity of this attack, use devices that implement an integrated SIM or eSIM, which cannot be readily replaced with a malicious component.
References
L. Jordaan and B. von Solms, “A Biometrics-Based Solution to Combat SIM Swap Fraud”, in Open Research Problems in Network Security, pp. 70-87, 2011; http://dl.ifip.org/db/conf/ifip11-4/inetsec2010/JordaanS10.pdf [accessed 8/1/2022] ↩
M. Brignall, “Sim-Swap Fraud Claims Another Mobile Banking Victim”, The Guardian, 16 Apr. 2016; www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters [accessed 8/25/2016] ↩