22 October 2014

PCarroll

Pat Carroll - ValidSoft

77 | posts 272,002 | views 38 | comments

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

SIM swaps - a growing problem with a SIMple solution

20 March 2012  |  5746 views  |  1

Suddenly there seems to be a lot more talk about SIM swaps. If you don’t know, this is when a fraudster, using social engineering techniques, dupes the victim’s mobile phone operator into porting the victim’s mobile number to a SIM in the possession of the fraudster and so starts receiving any incoming calls and text messages, including banking one-time-passcodes, that are sent to the victim’s phone number. Number porting is a common request and is therefore relatively easy for professional fraudsters to perpetrate

The fraudster can then perform transactions over a range of banking services such as Internet banking, and when the bank tries to verify the transaction via the mobile, by either a voice call or SMS, the fraudster is able to confirm it and the transaction is authorised. Intriguingly, there are significant regional variations – SIM swapping is does not appear to be an issue in the US, but relatively common in  Australia, Brazil, Malaysia, Mexico, Portugal, South Africa and increasingly so in the UK, for example. The US situation is interesting since it may well be that SIM Swap fraud, being more complex than card skimming, is either not prevalent (card skimming is easier to commit) or is not being reported.

SIM Swap fraud is a type of Spear Phishing (targeted) attack. It is more complex than Phishing (duping) and is particularly insidious. The bad news is that a fraudster has decided to target an individual and has sufficient knowledge of the individual’s personal details to be able to carry out these attacks. Also, because the attack is typically cross channel, individuals will not intuitively deduce that they are under attack - how many people would immediately suspect that their bank account was under attack if they suddenly stopped receiving calls on their mobile, for example?

The good news is that there is a technological solution to the problem. It is already possible to tell if a mobile number has been ported, then prevent transactions being authorised using that particular phone unless other indicators suggest the swap was in fact legitimate.

If the banks move quickly they can cut off yet another of the fraudster’s routes into our money and at the same time improve their own customer service. SIMple!

TagsSecurityOnline banking

Comments: (1)

Andrew Churchill - Technology Strategy - London | 21 March, 2012, 12:06

I agree with your points on the SIM swap itself, which is an interesting area in its own right.

I assume you're referring to the furore around SIM replacement in last week's Trusteer report 'Mobile Banking bypassed by fiendish malware blag' (http://www.theregister.co.uk/2012/03/15/malware_based_mobile_banking_blag/** and others).

Trusteer's report also missed some more fundamental issues in this regard.

Point 1 is that there is no point capturing an out of band OTP on the device itself if the transaction authentication is then typed back into the PC (as typically for online banking), as the attacker is passed it anyway in any man in middle/browser etcetera attacks (in a poor implementation of out of band authentication).

Point 2, however, is that if the transaction authentication goes back over the out of band channel, as it must to avoid the primary channel intercept, then unless it's a simple 'Yes it's me', 'No it's not me' choice that's sent out (in which case the SIM replacement clearly does work, as the attacker sends back the response 'Yes it's me') then the attacker would need to either know the PIN the bank's expecting to authorise 'Yes it's me', or be able to spoof the biometric response expected, or whatever else is being used as the second factor (under a proper implementation of out of band authenticatinon).

So Trusteer have found a fairly time-consuming attack,which dramatically impacts the criminals risk/reward, as they need to be physically present themselves during the scam, in the jurisdiction the offence is being committed in - much higher risk, and lower reward due to the time involved, than purely cyber attacks.

And the scam only works against banks that didn't think through the implementation in the first place (oh, sorry - point taken - that's probably an awful of banks!)

NB ** the Register also incorrectly state that a trojan is used in both variants of the attack despite referring to the first one as using a phishing attack to obtain the static data. There's clearly no point phishing if you've a trojan on board!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  2680 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  862 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  2482 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security

The Next Target-Style Attack This Holiday Season?

11 August 2014  |  1781 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Melvin Haskins
Ketharaman Swaminathan
Kenneth Carnesi
Andrew Smith