Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security

Group

Online Banking
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

SIM swaps - a growing problem with a SIMple solution

Suddenly there seems to be a lot more talk about SIM swaps. If you don’t know, this is when a fraudster, using social engineering techniques, dupes the victim’s mobile phone operator into porting the victim’s mobile number to a SIM in the possession of the fraudster and so starts receiving any incoming calls and text messages, including banking one-time-passcodes, that are sent to the victim’s phone number. Number porting is a common request and is therefore relatively easy for professional fraudsters to perpetrate

The fraudster can then perform transactions over a range of banking services such as Internet banking, and when the bank tries to verify the transaction via the mobile, by either a voice call or SMS, the fraudster is able to confirm it and the transaction is authorised. Intriguingly, there are significant regional variations – SIM swapping is does not appear to be an issue in the US, but relatively common in  Australia, Brazil, Malaysia, Mexico, Portugal, South Africa and increasingly so in the UK, for example. The US situation is interesting since it may well be that SIM Swap fraud, being more complex than card skimming, is either not prevalent (card skimming is easier to commit) or is not being reported.

SIM Swap fraud is a type of Spear Phishing (targeted) attack. It is more complex than Phishing (duping) and is particularly insidious. The bad news is that a fraudster has decided to target an individual and has sufficient knowledge of the individual’s personal details to be able to carry out these attacks. Also, because the attack is typically cross channel, individuals will not intuitively deduce that they are under attack - how many people would immediately suspect that their bank account was under attack if they suddenly stopped receiving calls on their mobile, for example?

The good news is that there is a technological solution to the problem. It is already possible to tell if a mobile number has been ported, then prevent transactions being authorised using that particular phone unless other indicators suggest the swap was in fact legitimate.

If the banks move quickly they can cut off yet another of the fraudster’s routes into our money and at the same time improve their own customer service. SIMple!

9539

Channels

Security

Group

Online Banking
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (1)

Andrew Churchill
Andrew Churchill - MIDAS Alliance - London 21 March, 2012, 12:06Be the first to give this comment the thumbs up 0 likes

I agree with your points on the SIM swap itself, which is an interesting area in its own right.

I assume you're referring to the furore around SIM replacement in last week's Trusteer report 'Mobile Banking bypassed by fiendish malware blag' (http://www.theregister.co.uk/2012/03/15/malware_based_mobile_banking_blag/** and others).

Trusteer's report also missed some more fundamental issues in this regard.

Point 1 is that there is no point capturing an out of band OTP on the device itself if the transaction authentication is then typed back into the PC (as typically for online banking), as the attacker is passed it anyway in any man in middle/browser etcetera attacks (in a poor implementation of out of band authentication).

Point 2, however, is that if the transaction authentication goes back over the out of band channel, as it must to avoid the primary channel intercept, then unless it's a simple 'Yes it's me', 'No it's not me' choice that's sent out (in which case the SIM replacement clearly does work, as the attacker sends back the response 'Yes it's me') then the attacker would need to either know the PIN the bank's expecting to authorise 'Yes it's me', or be able to spoof the biometric response expected, or whatever else is being used as the second factor (under a proper implementation of out of band authenticatinon).

So Trusteer have found a fairly time-consuming attack,which dramatically impacts the criminals risk/reward, as they need to be physically present themselves during the scam, in the jurisdiction the offence is being committed in - much higher risk, and lower reward due to the time involved, than purely cyber attacks.

And the scam only works against banks that didn't think through the implementation in the first place (oh, sorry - point taken - that's probably an awful of banks!)

NB ** the Register also incorrectly state that a trojan is used in both variants of the attack despite referring to the first one as using a phishing attack to obtain the static data. There's clearly no point phishing if you've a trojan on board!

Report abuse
Join the discussion
Pat Carroll

Pat Carroll

Founder/Executive Chairman

ValidSoft

Member since

17 Mar 2011

Location

London

Blog posts

79

Comments

40

More from Pat

This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

See all
Community
See all blogs »
Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Fintech 

The importance of risk management in trading

Kate Leaman

Kate Leaman

Digital Identity Management 

Navigating the digital identity landscape: A blueprint for financial services competitiveness

Adam Preis

Adam Preis

Data Management and Governance 

Ensuring Accuracy, Ensuring Success: The Impact of Data Integrity on Asset Management

Raymond Li

Raymond Li

Now hiring

See more