Join the Community

21,920

Expert opinions

43,977

Total members

405

New members (last 30 days)

169

New opinions (last 30 days)

28,652

Total comments

Join Sign in

SIM swaps - a growing problem with a SIMple solution

20 March 2012 1 comment

Pat Carroll

Founder/Executive Chairman

ValidSoft

Suddenly there seems to be a lot more talk about SIM swaps. If you don’t know, this is when a fraudster, using social engineering techniques, dupes the victim’s mobile phone operator into porting the victim’s mobile number to a SIM in the possession of the fraudster and so starts receiving any incoming calls and text messages, including banking one-time-passcodes, that are sent to the victim’s phone number. Number porting is a common request and is therefore relatively easy for professional fraudsters to perpetrate

The fraudster can then perform transactions over a range of banking services such as Internet banking, and when the bank tries to verify the transaction via the mobile, by either a voice call or SMS, the fraudster is able to confirm it and the transaction is authorised. Intriguingly, there are significant regional variations – SIM swapping is does not appear to be an issue in the US, but relatively common in Australia, Brazil, Malaysia, Mexico, Portugal, South Africa and increasingly so in the UK, for example. The US situation is interesting since it may well be that SIM Swap fraud, being more complex than card skimming, is either not prevalent (card skimming is easier to commit) or is not being reported.

SIM Swap fraud is a type of Spear Phishing (targeted) attack. It is more complex than Phishing (duping) and is particularly insidious. The bad news is that a fraudster has decided to target an individual and has sufficient knowledge of the individual’s personal details to be able to carry out these attacks. Also, because the attack is typically cross channel, individuals will not intuitively deduce that they are under attack - how many people would immediately suspect that their bank account was under attack if they suddenly stopped receiving calls on their mobile, for example?

The good news is that there is a technological solution to the problem. It is already possible to tell if a mobile number has been ported, then prevent transactions being authorised using that particular phone unless other indicators suggest the swap was in fact legitimate.

If the banks move quickly they can cut off yet another of the fraudster’s routes into our money and at the same time improve their own customer service. SIMple!

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

9645

Report

Channels

/security

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

Join group

204 opinions 63 members 08 February 2023

Comments: (1)

Andrew Churchill ID & Authentication Standards author at MIDAS Alliance

21 March 2012

I agree with your points on the SIM swap itself, which is an interesting area in its own right.

I assume you're referring to the furore around SIM replacement in last week's Trusteer report 'Mobile Banking bypassed by fiendish malware blag' (http://www.theregister.co.uk/2012/03/15/malware_based_mobile_banking_blag/** and others).

Trusteer's report also missed some more fundamental issues in this regard.

Point 1 is that there is no point capturing an out of band OTP on the device itself if the transaction authentication is then typed back into the PC (as typically for online banking), as the attacker is passed it anyway in any man in middle/browser etcetera attacks (in a poor implementation of out of band authentication).

Point 2, however, is that if the transaction authentication goes back over the out of band channel, as it must to avoid the primary channel intercept, then unless it's a simple 'Yes it's me', 'No it's not me' choice that's sent out (in which case the SIM replacement clearly does work, as the attacker sends back the response 'Yes it's me') then the attacker would need to either know the PIN the bank's expecting to authorise 'Yes it's me', or be able to spoof the biometric response expected, or whatever else is being used as the second factor (under a proper implementation of out of band authenticatinon).

So Trusteer have found a fairly time-consuming attack,which dramatically impacts the criminals risk/reward, as they need to be physically present themselves during the scam, in the jurisdiction the offence is being committed in - much higher risk, and lower reward due to the time involved, than purely cyber attacks.

And the scam only works against banks that didn't think through the implementation in the first place (oh, sorry - point taken - that's probably an awful of banks!)

NB ** the Register also incorrectly state that a trojan is used in both variants of the attack despite referring to the first one as using a phishing attack to obtain the static data. There's clearly no point phishing if you've a trojan on board!

Report

Pat Carroll

Founder/Executive Chairman

ValidSoft

Member since

17 Mar 2011

Location

London

More expert opinions

Sara Costantini Regional Director for the UK and Ireland at CRIF