SIM Swap fraud: fend off attacks with lies, says Foursys
April 2016 by Foursys
Foursys - cybersecurity specialists for more than 20 years - today warns mobile users of SIM Swap fraud or SIM Splitting, a financially-motivated mobile phone threat, is gaining momentum.
Remote banking losses increased significantly last year, according to the latest FFA UK (Financial Fraud Action UK) report. “Total remote banking loses increased by 72 per cent to £168.6 million in 2015. A key driver of this increase was the rise in impersonation and deception scams in which a criminal dupes the victim into giving away their personal and security details. The criminal then uses these details to gain access to their victim’s remote banking account.”
SIM SWAP fraud explained
SIM Swap is the process of replacing your mobile’s existing SIM card with a new one. SIM swapping is often useful, letting you to keep your existing mobile number when you change to a handset requiring a different SIM card type. However, financially-motivated criminals have found a loophole in this process
Armed with a mobile phone and a blank SIM card, the phone hackers pretend to be the victim when they contact the victim’s telecommunication provider saying the mobile has been stolen. The plan is to get the operator to cancel the existing SIM card, on the victim’s phone, and activate the new SIM on the criminal’s phone.
“Before SIM swaps are authorised, many mobile providers verify the identity of the caller using security questions, a process that’s certainly not foolproof,” said James Miller, Managing Director at Foursys. “Some answers may have unwittingly been shared online by target victims, let alone by someone in their social networks. How many people name their pet, favourite restaurant or primary school on social media sites? Scouring social media profiles, can prove very useful indeed to a criminal wanting to conduct fraud.”
The window of opportunity starts to close as soon as the SIM Swap victim notices that his/her mobile is no longer working and raises the alarm.
Once texts and calls are rerouted to the fraudster’s handset, the criminals work quickly to reset passwords, locking the victim out of his/her accounts, before authorising bank transactions or securing loans in the victim’s name.
Recent Sim Swap victims include Nottingham-based Chris Sims, whose bank account was emptied of its £1,200. The criminals also applied for a £8,000 loan in his name, reported The Guardian on Saturday.
“Security questions based on supposedly secret information are far too easy for criminals to defeat, given the huge amounts of data about ourselves available online”, said John Hawes, Chief of Operations at Virus Bulletin. “Any system which still uses this out-dated mechanism really needs to rethink its approach. In the interim, Foursys’s recommendation to fabricate falsehoods for the security questions is a smart one.”
SIM Swap: preventative tips from Foursys
Foursys recommends that mobile users concerned about SIM Swap fraud consider the following preventative action.
• Contact your mobile operator immediately if you stop receiving calls or texts unexpectedly. Don’t assume it is a technical fault that will resolve itself.
• Ensure passwords are long, complex and known only to you. Consider using a reputable password manager if you think you might forget them.
• Consider using made-up answers to the security questions to ensure your publicly available information cannot be used to identify you and store these securely.
• Use up-to-date security software on your computer and systems to block email phishing scams. _ • Carefully dispose of phone bills and other paper work detailing sensitive information, such as shredding or incinerating.
• Remove apps that you do not use from your devices. If you don’t use your bank’s mobile app, remove it from your phone.
“Think of these criminals as truffle-hunting piggies,” said Miller. “There are out there looking for opportunity as they sniff out their next victims. Your job is to stay out of their way and ensure you are as unattractive a target as possible.”