FraudFit

Fraud Risk Consulting

SIM swap – Fact & Fiction

SIM swap targets many aspects of online finance

There are few things likely to spoil your day more than finding someone has emptied your bank account.  The media is awash with reports of SIM swap fraud, and BBC Watchdog flayed mobile operators over this issue but how many of these reporters understand the issue and report it accurately?  It’s time to separate fact from fiction …

What is SIM swap?

SIM swap is a normal process used by mobile network operators when replacing lost phones & SIM cards or when a customer changes mobile device and needs a different format SIM card.  SIM swap fraud is the term commonly used to describe unauthorised SIM swap, most frequently in relation to banking frauds.  Fraudsters use a combination of methods including malware, web scraping and social engineering to acquire enough information to pass customer authentication, take over the customer’s mobile account and then request a fraudulent SIM swap.

The history of SIM swap abuse

The earliest incidence of SIM swap abuse that I can recall was 1998/9 and related to the issue of ‘gold number’ theft.  Gold Numbers are memorable numbers – e.g. 07766 777666 which were sold via mobile dealers in the same way as vanity number plates, with some being valued in excess of £10,000.  Relatively immature customer verification processes meant that mobile customers sometimes found they had no service because their numbers had been stolen via account takeover.  Some unlucky customers with very attractive mobile numbers had their numbers stolen multiple times.  There was also a secondary issue where dormant numbers were identified and sold by staff.

The majority of online systems rely on a combination of factors to verify user identity:

  • something you have – a device or token
  • something you know – a PIN or password
  • something you are – a biometric value

In the late 2000’s, some banks implemented SMS one-time passwords on the basis that the customer’s mobile number was ‘something you have’ and believing it provided 2-factor authentication to help secure online banking transactions. 

ING and Santander introduced SMS one-time passwords

The weakness of this concept was demonstrated in 2010, by the Zeus Gang, a criminal enterprise which developed malware targeted at online banking, and which particularly affected ING and Santander.  The fraud process is shown below:

Fraudsters defeating SMS one-time passwords
  1. Fraudsters used a phishing email and/or malware to gain access to the victim’s computer and bank account
  2. Fraudsters then used the customer’s personal data from his/her computer to arrange a SIM swap
  3. Then the fraudster logged into the customer’s bank account and created a fraudulent transaction
  4. The SMS authentication code sent by the bank was received by the fraudster, not the customer
  5. Fraudsters then input the SMS authentication code to verify the transaction and the bank allowed it to proceed.

The forward-thinking Zeus gang, anticipating that SIM swaps would become more difficult, then rolled out their nextgen product, ZITMO (Zeus in the Mobile) a mobile malware application which forwarded the bank’s SMS to the fraudster from the customer’s mobile without alerting the victim and without the need for a SIM swap.

The next surge in coverage of SIM swap activity arrived in the wake of the cryptocurrency boom.  The first incident I remember was in 2016, and concerned SIM swap in relation to bitcoin.  Hackers ported the victim’s mobile number to another network then reset the passwords for all his email accounts.  Within 7 minutes they had taken over 30 accounts including 2 banks, PayPal and 2 bitcoin wallets; the victim lost the equivalent of millions of dollars worth of bitcoin. 

Media Coverage

I believe media coverage of SIM swap started in South Africa, which was one of the first SIM swap took hold, and had spread globally by 2012.  Since then, SIM swap abuse has been regularly re-discovered and covered by reporters, professional advisers and bloggers.  In 2018, there were a number of significant cryptocurrency losses reported and, in the US, an investor named Michael Turpin filed an action against AT&T claiming it failed to protect his privacy and allowed hackers to steal $24 million in cryptocurrency from his wallet. 

In October 2018, BBC Watchdog ran a report about a banking fraud where the victim, a woman named Olga, had her bank account emptied by a fraudster.  It reported that a criminal managed to obtain a new SIM for her EE mobile account without showing photo ID, then used the SIM to authorise transactions on her bank account.  Olga’s bank initially refused to refund her money, blaming her for not keeping her details safe, but eventually repaid the money into her account (10 months after the theft).

Watchdog then showed video of attempts to obtain unauthorised replacement SIMs in a selection of UK mobile phone stores.  In two Vodafone stores and five O2 stores, staff failed to follow company procedure and handed over new SIM cards.  The programme is no longer available online, but BBC’s news coverage of the story is available here.

What BBC Watchdog didn’t tell you …

As you now know, this isn’t a new issue.  What the Watchdog team may not have known is that in January 2011, the UK Payments Association (representing 13 UK retail banks and all the major banking groups including Bank of America and Citibank) contacted the GSM Association.  At that time, GSMA represented some 600 mobile operators globally.  UKPA requested assistance in ‘countering the use of mobile devices as an enabler to commit banking fraud’.  The GSMA Fraud Forum (which included representatives from the major mobile networks) liaised with UKPA in order to define and measure the problem and, since UKPA was unable to provide representative data, GSMA conducted a survey amongst its global membership. 

Around this time, smartphone sales were really taking off (770 million devices over 2010 and 2011) and because many required a change from a full-size SIM to a micro SIM, mobile networks globally were performing something like 25 million SIM swaps per month.  The GSMA Fraud Forum survey (which I believe was representative) showed 150 frauds per million SIM swaps i.e. 0.015%.

In joint discussions, UKPA wanted the mobile operators to increase their customer authentication controls in order to prevent fraudulent SIM swaps and representatives of some banks argued that failure to do so could result in mobile operators being held liable for the banking frauds.  During some lively debate, I pointed out that:

  1. These frauds were a consequence of failed online banking security
  2. The fraudsters already had access to the victim’s bank account before the SIM swap took place
  3. The banks had not involved the mobile operators in implementing SMS authentication
  4. A mobile number is not actually ‘something you have’ and therefore cannot reliably be used for 2-factor authentication. 

Following wider consultation amongst mobile operators, the GSMA Fraud Forum response to UKPA was that:

  • Customer authentication controls were set at the appropriate standard for the delivery of mobile services and increasing authentication controls would inconvenience the 99.985% genuine customers whose SIM swap transactions were not fraudulent
  • Increasing authentication controls would increase mobile operator costs – were the banks prepared to contribute towards those costs?
  • GSMA members would be happy to work with the banks to help develop countermeasures against online fraud – were the banks prepared to establish joint project funding?

Neither UKPA nor its member banks took up the offer to establish a joint project and the discussion ended with GSMA advising UKPA that SMS one-time password was not a secure means of authenticating financial transactions.   This position was subsequently echoed by the U.S. National Institute of Standards and Technology.

Although a number of banks and operators subsequently collaborated independently, none of those collaborations led to anything other than local solutions.  The mobile operators supported the banks by responding with countermeasures such as:

  • advance SMS notice of SIM swap to the connected SIM and/or
  • only connecting replacement SIMs which have been sent to the customer’s home address (this wouldn’t work in all markets as some homes don’t have addresses or delivery services). 

The countermeasures reduced unauthorised SIM swaps by over 90% and have subsequently been followed by improved customer authentication, although most of these improvements were driven by concerns about Data Protection and GDPR.  In spite of this, the Watchdog team were still able to find mobile operator staff who are more concerned with satisfying the ‘customer’ than with data security.

Watchdog didn’t tell you that:

  • SIM swap abuse has been a known issue for 20 years
  • The victim bank account is already compromised before the SIM swap
  • The banks have been aware of SIM swap since 2010 (and probably earlier) and, in 2011, received telecoms expert advice that SMS one-time password was not secure
  • In March 2016, another BBC programme, You & Yours, had already used SIM swap to access and transfer money from the You & Yours producer’s NatWest bank account – details here

Watchdog reported a banking fraud, interviewed the victim on camera, highlighted the issue of SIM swap and then roasted the mobile operators for shoddy in-store identity verification.  My sympathy is with fraud victims, so I fully support the roasting, but if the team is really into consumer protection, why didn’t they address the root cause and:

  • identify the bank
  • ask why it was knowingly using an insecure process
  • ask why it took 10 months to reimburse the victim
  • ask the Financial Conduct Authority what data it keeps on SIM swap? (neither the FCA nor its subsidiary, the Payment Systems Regulator, mention SIM swap on their websites)

The Banks implemented SMS one-time passwords because it was simple and cheap; unfortunately, it was also insecure.  I’m ashamed to say that some mobile operators actively contributed to the issue by selling SMS one-time password as a means of transaction authentication.  Do you think any of those sales guys considered liability issues before they collected their commissions?

Despite having no involvement in the design or operation of the SMS one-time authentication, the Banks, and the media, blamed the mobile operators.  In 2016, after You & Yours accessed a NatWest bank account without knowing the customer number, PIN or any passwords, Chris Popple, managing director of NatWest Digital, inferred that the bank’s ineffective security was a mobile issue:

This is a cross-industry problem, particularly with us, and the telecom companies. We are working with Financial Fraud Action UK to make sure we’re communicating with each other … to make sure mobile phone security is as strong as it possibly can be

Chris Popple

(my emphasis). 

So, where do we go from here?

The SIM swap genie is out of the bottle.  Criminals are now utilising SIM swaps against all banks, whether the bank uses SMS one-time passwords or not.  When they’ve accessed a bank account but cannot create their own account as a new payee, the criminals make transfers to existing payees.  Having engineered a SIM swap, they call the payee from the victim’s number, explain there has been a mistake and ask the payee to transfer the money to the ‘correct’ account, i.e. theirs.

Technology is moving on and telecoms is starting to see the adoption of eSIM (the latest iPhone software update includes an eSIM bug fix).  eSIM removes the need for a separate SIM card and holds the relevant information on a chip in the mobile device which is rewritable and programable over the air.  Migration to eSIMs won’t solve SIM-swapping and may increase criminal attempts to recruit insiders in mobile operators as this could enable them to quickly make and then reverse a SIM swap over the air without the victim being aware that anything has happened.

The core issue is not the SIM, it’s online identity. These frauds are a consequence of people assuming that SIM = identity; well, it might, but it might not … 

Banking and mobile are now inextricably linked and you and I, and our parents and our children, need it to be secure and reliable – but where is the formal structure to ensure that?  We know from recent experience that blaming the banks and the telcos is futile as it doesn’t make the process any more secure. 

Most importantly, who is accountable for ensuring that future technology, products and services are secure, straight out of the box? 

Unless we, as consumers, start to exert pressure, nothing’s going to change

International Interconnect Bypass – time for a re-think?

In November 2017, I presented on the risks of Missing Trader VAT Fraud (MTIC), at the excellent AFRAGS 2017, the Araxxe Seminar in Lyon.  During the event, whilst I was listening to a case study and discussion on Interconnect Fraud Detection, I heard something a couple of things about bypass which sent shivers down my spine.  I can’t give you an exact quote, but the first was along the lines of:

“Because of net neutrality, Viber to Viber is OK”

Continue reading

What are you doing about Call Replay – is it spying or fraud?

What is Call Replay?

Over the last 2 years, I’ve been aware of periodic complaints from customers on different mobile networks who claim their calls have been recorded.  The customers report that during the call they notice they aren’t hearing live audio from the other party, but a recording, replaying audio content from earlier in the conversation.  I have experienced it myself and remember thinking the other party was repeating himself but then realising I was hearing exactly what he had said previously, and in fact the call content was being replayed.

Continue reading

Telecoms Corruption Fuels SIMbox Fraud

I thought Telcos could benefit from my interview with a SIMboxer, or, more precisely, a former SIMboxer.  I’ve been aware of SIMboxing since 2002, and was involved in legal proceedings with one major SIMbox enterprise from 2003 to 2013, when their final appeal was thrown out by the European Court of Justice.  I’ve been learning about SIMboxing all that time, so why would I want to talk to a former SIMboxer?  Well, first, nobody knows everything.  Second, much of the Telco ‘knowledge’ is second-hand or inferred – are you sure what you ‘know’ is accurate?  One option is to verify your data at source, so I talked with ‘Dan’, the SIMbox man.

Continue reading

Ericsson Bribery & Corruption – too little, too late?

Did you see press coverage of the Ericsson bribery and corruption allegations in November 2016?  Perhaps you were shocked.  Maybe you felt disappointed that another industry icon had failed to live up to its image.  I hadn’t really been aware of the allegations previously and I was surprised that Ericsson had screwed up so badly.  I was sufficiently curious to research the history of events that led up to the damaging headlines, to see what lessons can be learned.  Here is what I found…

Continue reading

POCA and Telecoms Crime

For some time I have been highlighting the failure of UK authorities to deal with the proceeds of telecoms crime.  TelCos agree that crime would be reduced if payment didn’t reach the fraudsters, but they don’t have a consistent and effective means of stopping those payments.  POCA (Proceeds of Crime Act 2002) creates powers to seize funds via both civil and criminal courts but UK authorities have failed to make any visible effort to use it.

Continue reading

UK’s Worrying Open Door to Telecoms Crime

Here’s a quick recap for new readers.  Global telecoms crime is worth USD 38 billion. Money is being laundered and terrorists are being financed. Despite their hard work, the TelCos haven’t been unable to make a significant impact and international frauds continue unchecked. The TelCos agree that crime would be reduced if payment didn’t reach the fraudsters – but, after years of discussion, still can’t agree how to block those payments.

Continue reading

Interpol President warns of escalating telecoms fraud

Delegates at the recent 85th Interpol General Assembly in Bali have elected China’s Meng Hongwei as their new President. Mr Meng, who describes himself as a veteran policeman, will take up his duties immediately. He said he stands ready to do everything he can towards the cause of policing in the world. I noticed he mentioned ‘telecoms fraud’ in his address:

“We currently face some of most serious global public security challenges since World War Two. Terrorism is spreading; Cybercrime is arising; telecoms fraud is escalating; all kinds of traditional and non-traditional transnational crimes are rising.”

Continue reading

Fraud Risk – who owns the fraud risk in the new Dumb Pipe?

Over the past few days, you may have seen some interesting news reports describing a shift from the current telecoms models. According to Reuters, Vimpelcom is re-inventing itself and moving away from selling voice calls and data to offer a single, app-based platform where users can communicate for free. Great for consumers but where do you make a profit?  And if you’re changing the operating model, what happens to the fraud risk?

Continue reading

International Fraud Awareness Week

International Fraud Awareness Week is promoted by the Association of Certified Fraud Examiners (ACFE) and runs from November 13-19.

One of my contributions is to share this brilliant 90-second video made by the UK Credit Industry Fraud Avoidance Scheme  (CIFAS).  It was made with real customers in real time and the message is clear – don’t make it easy for fraudsters.  Help reduce the risk of Identity Theft by sending this link to everyone who needs to see this message.

Continue reading

« Older posts

© 2019 FraudFit

Theme by Anders NorenUp ↑