Suddenly there seems to be a lot more talk about SIM swaps. If you don’t know, this is when a fraudster, using social engineering techniques, dupes the victim’s mobile phone operator into porting the victim’s mobile number to a SIM in the possession of the
fraudster and so starts receiving any incoming calls and text messages, including banking one-time-passcodes, that are sent to the victim’s phone number. Number porting is a common request and is therefore relatively easy for professional fraudsters to perpetrate
The fraudster can then perform transactions over a range of banking services such as Internet banking, and when the bank tries to verify the transaction via the mobile, by either a voice call or SMS, the fraudster is able to confirm it and the transaction
is authorised. Intriguingly, there are significant regional variations – SIM swapping is does not appear to be an issue in the US, but relatively common in Australia, Brazil, Malaysia, Mexico, Portugal, South Africa and increasingly so in the UK, for example.
The US situation is interesting since it may well be that SIM Swap fraud, being more complex than card skimming, is either not prevalent (card skimming is easier to commit) or is not being reported.
SIM Swap fraud is a type of Spear Phishing (targeted) attack. It is more complex than Phishing (duping) and is particularly insidious. The bad news is that a fraudster has decided to target an individual and has sufficient knowledge of the individual’s personal
details to be able to carry out these attacks. Also, because the attack is typically cross channel, individuals will not intuitively deduce that they are under attack - how many people would immediately suspect that their bank account was under attack if they
suddenly stopped receiving calls on their mobile, for example?
The good news is that there is a technological solution to the problem. It is already possible to tell if a mobile number has been ported, then prevent transactions being authorised using that particular phone unless other indicators suggest the swap was
in fact legitimate.
If the banks move quickly they can cut off yet another of the fraudster’s routes into our money and at the same time improve their own customer service. SIMple!