Blog article
See all stories »

SIM swaps - a growing problem with a SIMple solution

Suddenly there seems to be a lot more talk about SIM swaps. If you don’t know, this is when a fraudster, using social engineering techniques, dupes the victim’s mobile phone operator into porting the victim’s mobile number to a SIM in the possession of the fraudster and so starts receiving any incoming calls and text messages, including banking one-time-passcodes, that are sent to the victim’s phone number. Number porting is a common request and is therefore relatively easy for professional fraudsters to perpetrate

The fraudster can then perform transactions over a range of banking services such as Internet banking, and when the bank tries to verify the transaction via the mobile, by either a voice call or SMS, the fraudster is able to confirm it and the transaction is authorised. Intriguingly, there are significant regional variations – SIM swapping is does not appear to be an issue in the US, but relatively common in  Australia, Brazil, Malaysia, Mexico, Portugal, South Africa and increasingly so in the UK, for example. The US situation is interesting since it may well be that SIM Swap fraud, being more complex than card skimming, is either not prevalent (card skimming is easier to commit) or is not being reported.

SIM Swap fraud is a type of Spear Phishing (targeted) attack. It is more complex than Phishing (duping) and is particularly insidious. The bad news is that a fraudster has decided to target an individual and has sufficient knowledge of the individual’s personal details to be able to carry out these attacks. Also, because the attack is typically cross channel, individuals will not intuitively deduce that they are under attack - how many people would immediately suspect that their bank account was under attack if they suddenly stopped receiving calls on their mobile, for example?

The good news is that there is a technological solution to the problem. It is already possible to tell if a mobile number has been ported, then prevent transactions being authorised using that particular phone unless other indicators suggest the swap was in fact legitimate.

If the banks move quickly they can cut off yet another of the fraudster’s routes into our money and at the same time improve their own customer service. SIMple!


Comments: (1)

Andrew Churchill
Andrew Churchill - MIDAS Alliance - London 21 March, 2012, 12:06Be the first to give this comment the thumbs up 0 likes

I agree with your points on the SIM swap itself, which is an interesting area in its own right.

I assume you're referring to the furore around SIM replacement in last week's Trusteer report 'Mobile Banking bypassed by fiendish malware blag' (** and others).

Trusteer's report also missed some more fundamental issues in this regard.

Point 1 is that there is no point capturing an out of band OTP on the device itself if the transaction authentication is then typed back into the PC (as typically for online banking), as the attacker is passed it anyway in any man in middle/browser etcetera attacks (in a poor implementation of out of band authentication).

Point 2, however, is that if the transaction authentication goes back over the out of band channel, as it must to avoid the primary channel intercept, then unless it's a simple 'Yes it's me', 'No it's not me' choice that's sent out (in which case the SIM replacement clearly does work, as the attacker sends back the response 'Yes it's me') then the attacker would need to either know the PIN the bank's expecting to authorise 'Yes it's me', or be able to spoof the biometric response expected, or whatever else is being used as the second factor (under a proper implementation of out of band authenticatinon).

So Trusteer have found a fairly time-consuming attack,which dramatically impacts the criminals risk/reward, as they need to be physically present themselves during the scam, in the jurisdiction the offence is being committed in - much higher risk, and lower reward due to the time involved, than purely cyber attacks.

And the scam only works against banks that didn't think through the implementation in the first place (oh, sorry - point taken - that's probably an awful of banks!)

NB ** the Register also incorrectly state that a trojan is used in both variants of the attack despite referring to the first one as using a phishing attack to obtain the static data. There's clearly no point phishing if you've a trojan on board!

Pat Carroll

Pat Carroll

Founder/Executive Chairman


Member since

17 Mar 2011



Blog posts




More from Pat

This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

See all