SIM swap targets many aspects of online finance

There are few things likely to spoil your day more than finding someone has emptied your bank account.  The media is awash with reports of SIM swap fraud, and BBC Watchdog flayed mobile operators over this issue but how many of these reporters understand the issue and report it accurately?  It’s time to separate fact from fiction …

What is SIM swap?

SIM swap is a normal process used by mobile network operators when replacing lost phones & SIM cards or when a customer changes mobile device and needs a different format SIM card.  SIM swap fraud is the term commonly used to describe unauthorised SIM swap, most frequently in relation to banking frauds.  Fraudsters use a combination of methods including malware, web scraping and social engineering to acquire enough information to pass customer authentication, take over the customer’s mobile account and then request a fraudulent SIM swap.

The history of SIM swap abuse

The earliest incidence of SIM swap abuse that I can recall was 1998/9 and related to the issue of ‘gold number’ theft.  Gold Numbers are memorable numbers – e.g. 07766 777666 which were sold via mobile dealers in the same way as vanity number plates, with some being valued in excess of £10,000.  Relatively immature customer verification processes meant that mobile customers sometimes found they had no service because their numbers had been stolen via account takeover.  Some unlucky customers with very attractive mobile numbers had their numbers stolen multiple times.  There was also a secondary issue where dormant numbers were identified and sold by staff.

The majority of online systems rely on a combination of factors to verify user identity:

  • something you have – a device or token
  • something you know – a PIN or password
  • something you are – a biometric value

In the late 2000’s, some banks implemented SMS one-time passwords on the basis that the customer’s mobile number was ‘something you have’ and believing it provided 2-factor authentication to help secure online banking transactions. 

ING and Santander introduced SMS one-time passwords

The weakness of this concept was demonstrated in 2010, by the Zeus Gang, a criminal enterprise which developed malware targeted at online banking, and which particularly affected ING and Santander.  The fraud process is shown below:

Fraudsters defeating SMS one-time passwords
  1. Fraudsters used a phishing email and/or malware to gain access to the victim’s computer and bank account
  2. Fraudsters then used the customer’s personal data from his/her computer to arrange a SIM swap
  3. Then the fraudster logged into the customer’s bank account and created a fraudulent transaction
  4. The SMS authentication code sent by the bank was received by the fraudster, not the customer
  5. Fraudsters then input the SMS authentication code to verify the transaction and the bank allowed it to proceed.

The forward-thinking Zeus gang, anticipating that SIM swaps would become more difficult, then rolled out their nextgen product, ZITMO (Zeus in the Mobile) a mobile malware application which forwarded the bank’s SMS to the fraudster from the customer’s mobile without alerting the victim and without the need for a SIM swap.

The next surge in coverage of SIM swap activity arrived in the wake of the cryptocurrency boom.  The first incident I remember was in 2016, and concerned SIM swap in relation to bitcoin.  Hackers ported the victim’s mobile number to another network then reset the passwords for all his email accounts.  Within 7 minutes they had taken over 30 accounts including 2 banks, PayPal and 2 bitcoin wallets; the victim lost the equivalent of millions of dollars worth of bitcoin. 

Media Coverage

I believe media coverage of SIM swap started in South Africa, which was one of the first SIM swap took hold, and had spread globally by 2012.  Since then, SIM swap abuse has been regularly re-discovered and covered by reporters, professional advisers and bloggers.  In 2018, there were a number of significant cryptocurrency losses reported and, in the US, an investor named Michael Turpin filed an action against AT&T claiming it failed to protect his privacy and allowed hackers to steal $24 million in cryptocurrency from his wallet. 

In October 2018, BBC Watchdog ran a report about a banking fraud where the victim, a woman named Olga, had her bank account emptied by a fraudster.  It reported that a criminal managed to obtain a new SIM for her EE mobile account without showing photo ID, then used the SIM to authorise transactions on her bank account.  Olga’s bank initially refused to refund her money, blaming her for not keeping her details safe, but eventually repaid the money into her account (10 months after the theft).

Watchdog then showed video of attempts to obtain unauthorised replacement SIMs in a selection of UK mobile phone stores.  In two Vodafone stores and five O2 stores, staff failed to follow company procedure and handed over new SIM cards.  The programme is no longer available online, but BBC’s news coverage of the story is available here.

What BBC Watchdog didn’t tell you …

As you now know, this isn’t a new issue.  What the Watchdog team may not have known is that in January 2011, the UK Payments Association (representing 13 UK retail banks and all the major banking groups including Bank of America and Citibank) contacted the GSM Association.  At that time, GSMA represented some 600 mobile operators globally.  UKPA requested assistance in ‘countering the use of mobile devices as an enabler to commit banking fraud’.  The GSMA Fraud Forum (which included representatives from the major mobile networks) liaised with UKPA in order to define and measure the problem and, since UKPA was unable to provide representative data, GSMA conducted a survey amongst its global membership. 

Around this time, smartphone sales were really taking off (770 million devices over 2010 and 2011) and because many required a change from a full-size SIM to a micro SIM, mobile networks globally were performing something like 25 million SIM swaps per month.  The GSMA Fraud Forum survey (which I believe was representative) showed 150 frauds per million SIM swaps i.e. 0.015%.

In joint discussions, UKPA wanted the mobile operators to increase their customer authentication controls in order to prevent fraudulent SIM swaps and representatives of some banks argued that failure to do so could result in mobile operators being held liable for the banking frauds.  During some lively debate, I pointed out that:

  1. These frauds were a consequence of failed online banking security
  2. The fraudsters already had access to the victim’s bank account before the SIM swap took place
  3. The banks had not involved the mobile operators in implementing SMS authentication
  4. A mobile number is not actually ‘something you have’ and therefore cannot reliably be used for 2-factor authentication. 

Following wider consultation amongst mobile operators, the GSMA Fraud Forum response to UKPA was that:

  • Customer authentication controls were set at the appropriate standard for the delivery of mobile services and increasing authentication controls would inconvenience the 99.985% genuine customers whose SIM swap transactions were not fraudulent
  • Increasing authentication controls would increase mobile operator costs – were the banks prepared to contribute towards those costs?
  • GSMA members would be happy to work with the banks to help develop countermeasures against online fraud – were the banks prepared to establish joint project funding?

Neither UKPA nor its member banks took up the offer to establish a joint project and the discussion ended with GSMA advising UKPA that SMS one-time password was not a secure means of authenticating financial transactions.   This position was subsequently echoed by the U.S. National Institute of Standards and Technology.

Although a number of banks and operators subsequently collaborated independently, none of those collaborations led to anything other than local solutions.  The mobile operators supported the banks by responding with countermeasures such as:

  • advance SMS notice of SIM swap to the connected SIM and/or
  • only connecting replacement SIMs which have been sent to the customer’s home address (this wouldn’t work in all markets as some homes don’t have addresses or delivery services). 

The countermeasures reduced unauthorised SIM swaps by over 90% and have subsequently been followed by improved customer authentication, although most of these improvements were driven by concerns about Data Protection and GDPR.  In spite of this, the Watchdog team were still able to find mobile operator staff who are more concerned with satisfying the ‘customer’ than with data security.

Watchdog didn’t tell you that:

  • SIM swap abuse has been a known issue for 20 years
  • The victim bank account is already compromised before the SIM swap
  • The banks have been aware of SIM swap since 2010 (and probably earlier) and, in 2011, received telecoms expert advice that SMS one-time password was not secure
  • In March 2016, another BBC programme, You & Yours, had already used SIM swap to access and transfer money from the You & Yours producer’s NatWest bank account – details here

Watchdog reported a banking fraud, interviewed the victim on camera, highlighted the issue of SIM swap and then roasted the mobile operators for shoddy in-store identity verification.  My sympathy is with fraud victims, so I fully support the roasting, but if the team is really into consumer protection, why didn’t they address the root cause and:

  • identify the bank
  • ask why it was knowingly using an insecure process
  • ask why it took 10 months to reimburse the victim
  • ask the Financial Conduct Authority what data it keeps on SIM swap? (neither the FCA nor its subsidiary, the Payment Systems Regulator, mention SIM swap on their websites)

The Banks implemented SMS one-time passwords because it was simple and cheap; unfortunately, it was also insecure.  I’m ashamed to say that some mobile operators actively contributed to the issue by selling SMS one-time password as a means of transaction authentication.  Do you think any of those sales guys considered liability issues before they collected their commissions?

Despite having no involvement in the design or operation of the SMS one-time authentication, the Banks, and the media, blamed the mobile operators.  In 2016, after You & Yours accessed a NatWest bank account without knowing the customer number, PIN or any passwords, Chris Popple, managing director of NatWest Digital, inferred that the bank’s ineffective security was a mobile issue:

This is a cross-industry problem, particularly with us, and the telecom companies. We are working with Financial Fraud Action UK to make sure we’re communicating with each other … to make sure mobile phone security is as strong as it possibly can be

Chris Popple

(my emphasis). 

So, where do we go from here?

The SIM swap genie is out of the bottle.  Criminals are now utilising SIM swaps against all banks, whether the bank uses SMS one-time passwords or not.  When they’ve accessed a bank account but cannot create their own account as a new payee, the criminals make transfers to existing payees.  Having engineered a SIM swap, they call the payee from the victim’s number, explain there has been a mistake and ask the payee to transfer the money to the ‘correct’ account, i.e. theirs.

Technology is moving on and telecoms is starting to see the adoption of eSIM (the latest iPhone software update includes an eSIM bug fix).  eSIM removes the need for a separate SIM card and holds the relevant information on a chip in the mobile device which is rewritable and programable over the air.  Migration to eSIMs won’t solve SIM-swapping and may increase criminal attempts to recruit insiders in mobile operators as this could enable them to quickly make and then reverse a SIM swap over the air without the victim being aware that anything has happened.

The core issue is not the SIM, it’s online identity. These frauds are a consequence of people assuming that SIM = identity; well, it might, but it might not … 

Banking and mobile are now inextricably linked and you and I, and our parents and our children, need it to be secure and reliable – but where is the formal structure to ensure that?  We know from recent experience that blaming the banks and the telcos is futile as it doesn’t make the process any more secure. 

Most importantly, who is accountable for ensuring that future technology, products and services are secure, straight out of the box? 

Unless we, as consumers, start to exert pressure, nothing’s going to change