Kaspersky Senior Security Researcher Fabio Assolini is particularly interested in financial attacks. We talked about SIM swapping attacks, cryptocurrencies and more, called SIM Swap Attacks with financial implications. How can cyber attackers seize your mobile phone number and Whatsapp account? What happens next? Are cryptocurrencies and wallets safe? Here is our conversation…
Kaspersky held a cybersecurity event in Cape Town, South Africa. Cyber Security Weekend In other words, press members from the META region participated in the cyber security weekend event. We, as Technopat, watched the presentations of many different cyber security experts at the event.
We reached Cape Town directly from Istanbul with an 11-hour flight. Cape Town, the destination of this flight that crosses the entire African continent, is home to a vibrant economy and thriving information technology companies. Participants from Turkey and different regional countries met in this city, which is an important city for META.
We also watched the drone hacking live at the event, and participated in the cyber security question and answer event. The general security sensitivity of our friends from the press participating from Turkey is quite high, because 3 of the 5 people who got the highest score in the cyber security practice question and answer event were Turkish, and we were one of them. We can say that it is a fun activity for those who love technology and security.
Of course, the biggest benefit is to talk face-to-face and have detailed information about different threats and developments and meet relevant people in this field. We already share such important information with you in the news we share, the videos we prepare, and sometimes between the lines of our guides.
Speakers touched on interesting issues. Mobile security, increasing threats as well as decreasing threats and detailed presentations were made. You can see some of them in this news…
Attacks Targeting the Wallet
Among these speakers, Fabio Assolini, of Brazilian origin, conveyed an extremely interesting subject. In these attacks, called SIM Swap, users’ mobile phone numbers are seized. Naturally, the security codes that come to their phones and programs such as Whatsapp are also seized. We had arranged our schedules for an interview with him from the event.
When the presentations were over, we went to the area reserved for the interview and talked to him about both this issue and the points that we think our readers would be curious about in the field of cyber security in general. We spoke in English and we are sharing the Turkish translation with you. As a footnote, I would like to thank my wife who contributed to the transcript and translation.
Special thanks to the Kaspersky event photographer for these beautiful photos, and to Kaspersky and agency staff who contributed to the organization and smooth running of the event, both for their professionalism and hospitality.
A – Ali Gungor – Technopat
F – Fabio Assolini – Kaspersky
A: Today you gave a presentation on mobile risks and specifically Sim Cards.
A: Could you please introduce yourself to our readers at Technopat.net?
F: Yes. My name is Fabio Assolini. I am a Senior Security Researcher at Kaspersky Lab and am currently interested in cyber threats, especially in the financial field. There are many attacks against customers who access their bank accounts online or make transactions with mobile banking or buy something online. These are the kinds of threats I am charged with analyzing, and I research new threats that cybercriminals create and create every day.
A: You are Brazilian. How are things in Brazil?
F: Yes. I am Brazilian and most cyberattacks on ordinary people in Latin America, including Brazil, are for financial reasons. I mean, cybercriminals want to get easy money by copying your credit card or stealing money from your account.
Most attacks in Latin America, including Brazil, are financially focused, but Brazil is the #1 country with the highest prevalence of phishing, banking phishing, and banking trojans worldwide, a type of malware that installs on your system and tries to steal your bank credentials. type. I am quite experienced in this field.
A: So we see many attacks, for example social engineering, phishing attacks and all of them are identity based, they copy our identity, it can be electronic or it can be a real person, you told us about e-Sim and other Sim solutions, hardware solutions are just that It doesn’t make sense because people’s weaknesses are also a problem, the telecom operator or anyone else can sometimes take a bribe.
There may be other problems but they can very easily copy our identity and steal our bank account and transfer our money. What do you think is the solution? For example, we are using an increasing number of mobile applications, mobile banking applications in Turkey…
A: Which has grown a lot, for example some of them did not accept electronic money transfer.
F: All right.
A: It is very expensive to make them more attractive and accessible to people, people started using them but we still use SMS verification for passwords. Is it enough to rule this out and enforce two-factor authentication?
F: It depends on the maturity reached by each market. I mean, if you have a lot of scam scenarios, normally banks or financial systems react and the first reaction is to set up safeguards.
That is, they started to require two-factor authentication for all users, or they started adopting new protection methods that the user had to set up before they could get into their bank account.
So yes it depends on the market but in my opinion it is very widely known, financial systems need to adopt such protection methods and abandon the sparser and vulnerable systems like SMS conversations, so cybercriminals are doing this scam today, they disable your number and use this They activate the number on another SIM card and these cybercriminals start to steal all your conversations, passwords, calls and with this information they take over your bank account to steal you and your money.
So, it depends on the maturity reached by each market. Banks can react, that’s how it should be now, we’ve seen SIM swap attacks and scams, it’s happened around the world and at advanced levels, they stole a lot of money, as a result it’s important that banks and financial systems strive to adopt new protection methods. Essentially, these events also happen in the cryptocurrency market.
A: Yes. It’s a particularly vulnerable market.
F: Exactly. The cryptocurrency market is very new and very young. How to proceed, we’ll find out… they need to protect their customers because many accounts have been hacked.
People used their crypto, their Bitcoin, and it’s a digital currency, but still, a malicious person can steal your digital money, so companies will learn that they have to offer protection, and that’s what they do anyway. As consumers we should say “Give me better protection” to the services we receive, this is what we must do right now in our job to better protect our phone numbers because once you lose your number you can easily fall victim to such attacks.
A: Do you see biometric solutions as a solution to identity problems? Be it SIM and number or credit card number
A: Whether it’s a social security number or anything else, I call these identity issues. Can we somehow form a worldwide consortium in the future or create or control a new identity system?
F: Yes, identity theft is a big problem in the world and a cybercriminal in particular makes this type of attack because there are data leaks in many companies nowadays. All data about their customers is stolen by cybercriminals or cybercriminals hijack their systems and obtain the data. These days, cybercriminals can use your data to request a new credit card and open a bank account in your name, and this is really bad.
To solve this problem, companies are adopting new ways of authentication, and one of these new technologies is biometrics. If it works that would be really cool, but you still have to implement it correctly for it to be a real solution. I’ll give you a small example from my own country, Brazil. They detected some fraud in driving schools, driver’s license courses. In order to avoid this problem, they adopted a biometric system that reads your fingerprint.
F: After a while, what the authorities saw and discovered in the country was that people were copying their own fingerprints with silicon, and other people were getting into systems using other people’s fingerprints. Although biometric is a good method of protection, it has been compromised here.
So when companies, banks, governments want to adopt a biometric solution, it’s important that they adapt properly… different levels of biometric identification can have different levels and if you adapt it properly you will solve the problem but it’s like a game of cat and mouse. It’s not easy. Cybercriminals are constantly looking for new ways to circumvent these protection tools.
A: We see the same thing in Turkey, if you find a solution, people always find a better way to get around that solution.
A: This is a humanity problem that we cannot overcome.
F: This is a human problem, so we already say that there is no such thing as 100% security. That’s why security companies like Kaspersky need constant funding for everything, we need to regularly discover new attacks because cybercriminals do it. They are always looking for new ways.
A: As a cybersecurity researcher, what is your main tool? How do you recognize incoming threats? Do you do data analysis? Social analysis? What is the main issue that you see as the first warning?
F: Hmm. Especially when we look at Turkey’s market, I saw that there are many phishing attacks in Turkey. This happens because we connect to a lot of services every day, so when cybercriminals steal your credentials, which is very valuable information for them, they can steal both your data and financial information.
When I checked the cyber threat statistics and took a look at what was happening in Turkey, I saw a lot of phishing attacks, I also saw a huge increase in mobile attacks and especially malicious mobile applications, and unfortunately, most of the time these fake banking applications are the applications that are sought in the official stores especially for Android. imitation versions. The threats that I see happening now will continue to occur in Turkey in the future in terms of more phishing attacks and more mobile-focused attacks.
A: So first of all people need to be especially careful and smart when using WhatsApp and other messaging apps. We always have to ask, is this person asking for money really someone I know or is there a suspicious situation, and secondly, as you say, we should sift through the applications we allow on our devices with great care and be careful about this.
F: Exactly. If we are talking about cell phone security, it is very important that you adopt two factor authentication in all services including WhatsApp, and this is also very important with SIM Swap scams because when malicious people do this to your number, they first install WhatsApp on another phone and start asking your contacts for money and a Unfortunately, many people send this money.
So when you configure two-factor authentication on your WhatsApp account, your WhatsApp will be protected. If a malicious person uploads the number to another phone, the first thing WhatsApp asks you is the two-factor, six-digit number, if it doesn’t get that answer, the attack cannot be completed, which is good, for protection, when you want to do mobile banking, an anti-malware program will install it on your phone. It is very important to have it installed, because this program will double protect you against phishing attacks from social network messages, SMS, e-mail received via WhatsApp or Facebook or other programs, moreover, when malware tries to install on your system, it will be blocked. In terms of the method of protection, this is an important thing.
A: What do you think of Telegram? Its use has also increased in Turkey. Could it be an application-based risk or a general risk, what do you think?
F: Hmm, Telegram is not as popular as WhatsApp. That’s why cybercriminals haven’t focused entirely on Telegram yet. The first target is WhatsApp, but I’m sure that if the scenario changes, as in many countries, WhatsApp encounters legal problems, sometimes WhatsApp can be blocked by the government. These things happen, normally in this case the number of WhatsApp users should explode, sorry Telegram because a lot of people will say “OK, WhatsApp is blocked now, then I’ll start using Telegram too.”
A: This is an alternative.
F: Exactly. The same applies in this case. Cybercriminals will redirect their targets to Telegram and as far as I know Telegram uses phone calls sent via SMS and that is not good.
A: Yes. We should avoid this altogether and ask our banks, app developers, and everyone else to improve security. We should ask them how they protect us, how they protect our identity, and what their plans are. People should demand it. People should know these.
F: Exactly. We need to ask our customers, we need to ask your business, your bank’s online service providers, you need to ask them to do something to protect you because these scams are not in our hands. Unfortunately, there is not much you can do to prevent your number from being scammed by SIM Swap (SIM exchange), but we can ask our customers to do something, together if many customers ask the same thing, I think we can get results, that’s all.
A: Many thanks for your answers and your time to us.
F: All right. Thank you.
A: See you in another video!
English Interview Transcript
A – Ali Gungor – Technopat
F – Fabio Assolini – Kaspersky
A: Today, you have made a presentation about the mobile risks and especially SIM Cards.
A: Can you please introduce yourself to our viewers at technopat.net?
F: Yes. My name is Fabio Assolini. I’m the Senior Security Searcher in Kaspersky Lab and already dedicated to investigate threats, especially in the financial area. So, a lot of attacks against customers accessing their bank account online or doing mobile banking or buying things online. That’s the type of threat that I’m dedicated to analyze and search new attacks that cybercriminals are inventing and doing every day.
A: So, you are from Brazil. How is the situation in Brazil?
F: Yes. I’m from Brazil and in Latin America including Brazil are most of the attacks targeting normal people are financial related. I mean, cybercriminals, they want easy money, stealing money from your account or cloning your credit card. So, most of the attacks in Latin America including Brazil are financially focused but Brazil is the No 1 country worldwide most attacked by phishing, banking phishing, and also banking Trojans that a specific type of malware that installed in your system and try to steal your banking credentials. So that’s why I’m very experienced in this topic.
A: So, we see a lot of attacks especially for example social engineering, phishing and they are all identity based, they are just cloning our identification, it maybe electronic or it may be actual person you told about us the e-SIM and other SIM solutions and hardware solutions don’t matter too much because there are humans at the weakling and telecom operator or at any other place they can be just sometimes bribed. There may be other problems, but they can very easily replicate our identity and they can just steal our banking account, just transfer our money. What do you see as a solution? For example, in Turkey we use mobile applications increasingly, mobile banking applications have grown very much and for example some of them just didn’t take electronic money transfer.
A: It costs to make them more appealable, approachable to people and people started using them but we still use SMS verification for passwords. Is it enough to just disable and make it mandatory for two-step authentication?
F: Well, it depends on the level of maturity of each market. I mean if you have a scenario of a lot of frauds, normally the banks or the financial system they react, and the first reaction they have is to step up their protections. I mean, they start to make two-factor authentication mandatory to all users, or they start to adapt new protections that user needs to install to be able to enter the bank account.
So, it depends on the market but my opinion is very well common when the financial systems adapt such kind of protections and abandon odd and vulnerable systems such as talking sent via SMS that’s why cybercriminals today, they can do this fraud when they deactivate your number and they activate this number on another SIM Card and then this cybercriminal starts to receive all your talking, all your codes, your calls and with this information they can hack you, hack your bank account to steal your money. So, it depends on the level of maturity of the market. Banks can react and I think this is really desirable at this moment when we saw SIM swap attacks and frauds, such this one worldwide and big levels, a lot of money they are stealing, so it is necessary that banks or the financial systems fight to adapt new protections. Actually, it happens with the crypto currency market.
A: Yes. Especially vulnerable.
F: Exactly. The crypto currency market is very new and very soon they’ll learn how to… they need to protect their customers because a lot of accounts were hacked. People used their crypto money, their bitcoins and it is digital money but anyway it can be some bad guy can steal your digital money so soon these companies learn that they need to offer protections and that’s what they are doing in. We as consumers we need to ask the services that we like “Hey offer me a better protection,” and that’s what we need to do today with our careers to offer a better protection to our phone numbers because when you lose it you can be easy victim of this kind of attack.
A: Do you see biometric solutions as a solution to identity problems? I describe them as identity problems even if it SIM and number, the credit card number…
A: …social security number or any other thing. Is there any way that we can in the future bring a consortium worldwide or bring a new identity system or check it?
F: Yeah, the identity theft is big problem worldwide and this kind of attack can a cybercriminal can do it especially because today a lot of companies are suffering data leakage incidents. I mean all the data they have about their customers are stolen by cybercriminals or a cybercriminal invade their systems and take the data. So these days cybercriminals can open bank account if your name can ask for a new credit card using your data and this is really bad. Trying to solve this problem, companies are adapting new authentication ways and one of these new technologies are biometrics. That is something cool if can work but even, you need to implement it correctly to be a real solution. I’ll give you one small example, from my country, Brazil. They detected some fraud in driving schools, driving license schools. So trying to avoid this problem, they adopted a biometric system to read your fingerprint.
F: After sometimes what they discovered the authorities saw in the country, people were doing a copy of their fingerprints in silicone and other people were logging systems using someone else’s fingerprint. Like a good protection biometrics but it was bypassed. That’s why companies, banks, when they try to adapt biometrics solution is good to adapt it correctly or a good … you have different levels of identifications of biometrics and if you adapt it right you can solve the problem but the thing is, it is a cat and mouse game. It is not easy. Cybercriminals are always trying to find a way to bypass protections.
A: In Turkey, we see the same thing when you find the solution, people just find a better solution to go around your solution…
A: It’s a human problem we cannot get over.
F: It’s a human problem that’s why we here say that there is no 100% security. That’s why we say that security companies such as Kaspersky, we need constant money to our everything we need to regularly look for new attacks because that’s what cybercriminals are doing. They are searching for new things.
A: So as a cyber security researcher, what’s your main tool? How do you see incoming threats? Do you do data analysis? Do you do social analysis? What’s the main thing you see as a first warning?
Monk seal. Looking especially to the Turkey’s market, Turkish market, I saw a lot of phishing attacks going on in Turkey. It happens because we are everyday connected a lot of services so when the cybercriminals steal your credential it is something very valuable to him, he can steal your data he can steal your financial data.
So what I saw when we check the threat statistics, what’s going on in Turkey, we saw a lot of phishing attacks and also big increase of mobile attacks especially malicious mobile applications and unfortunately, most of the time these fake banking applications are affected applications they are looking in the official store, especially for Android. So the threats that I saw happening right now and will continue in the future regarding Turkey more phishing and more attacks focusing on mobile.
A: So, first of all people should be especially minded especially careful about using WhatsApp and other messaging applications. We should always ask if this is my real relative asking for money or is it something suspicious and second of all you are saying that we should carefully screen which applications we are allowing into our devices and be careful about that.
F: Exactly. When I talk about secure your mobile, it’s very important you adapt two factor authentication to all services including WhatsApp and this is important in the case of SIM Swap fraud because when there criminal do this against your number, the first thing they try to do is to load WhatsApp on another phone they start to asking your contacts for money and a lot of people send this money, unfortunately.
So when you configure two factor authentication on your WhatsApp account, your WhatsApp will be protected. If the criminal try to load it another phone, the first thing WhatsApp you ask is the two-factor, the six-digit number if they don’t have it, they can’t complete the attack and this is something good and regarding protection when you try to do mobile bank is very important to have anti-malware product installed on your phone because this will probably protect you double against phishing attacks received over e-mail, over SMS, over social network messages you receive over WhatsApp or Facebook or other programs and also if malicious application try to install in to your system, they will try to result in block. So, this is something important when you talk about your protection.
A: What do you think about Telegram, also rising in usage in Turkey? Is it application-based risk or general risk, what do you think?
F: Umm, the Telegram is less popular than WhatsApp. That’s why cybercriminals are not yet totally focused on Telegram. The first target is WhatsApp but I’m sure if the scenario changes as it happened in a lot of countries that WhatsApp had legal problems and sometimes WhatsApp can be blocked by the government.
It happens and the situation normally WhatsApp explode the number of users like sorry Telegram explode like a lot of people decide “Ok if WhatsApp is blocked now outright, I’ll start to use Telegram.
12:28 A: That’s an alternative.
F: Exactly. So, in this situation, it happens the same. Cybercriminal then will focus their target on Telegram and as far as I know, Telegram also using talkings OTP sent over SMS and this is not good.
A: Yes. It should be entirely abandoned, and we should ask our banks or application developers, and everyone increase the security. How are you protecting me, how are you protecting my identity and what’s your plan? People should demand it. People should know it.
F: Exactly. We ask consumers we need to ask our providers of online services of your bank of your career to do something to protect you because this is not in our hands.
I mean, there is not many things you can do to avoid your number to be SIM swapped unfortunately but ask consumers we can ask them to do something and together a lot of customers asking the same thing I think we’ll get a result and that’s it.
A: Thank you very much for your answers and your time.
F: Okay. Thank you.
A: See you in another video.