Saturday, February 16, 2019

20 Recommendations on how to protect yourself from mobile phone SIM Card swap fraud


What exactly is a “SIM-Swap” scam?

Here is one definition: “SIM Swap fraud (also known as Port-Out scam or SIM splitting) is a type of account takeover fraud that generally targets a weakness in two-factor authentication & two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud exploits a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM destination. This feature is normally used where a customer has lost or had their phone stolen.”

This type of fraud is not new. It has been with us for three years, but volume levels have been low. It appears that the specifics of this con game have been shared with the global community of organized crime, judging from the recent preponderance of articles in various jurisdictions about this type of crime. Victims, if they have the courage to report the crime, and 85% elect not to, based on present estimates, have witnessed their financial accounts, whether banking, trading, or crypto, suddenly drop to zero. Law enforcement officials now report a 60% increase from prior complaint levels.



How does this type of fraud work?

This process goes in several steps. The worst part of this fraud is that you may be targeted long before the actual crime takes place.

·         A fraudster obtains your bank account details and registers your mobile phone number through phishing or malware.
·         He approaches your mobile service provider with your fake identity proof and, claiming loss of handset or SIM damage, seeks a duplicate SIM card.
·          A SIM swap typically happens using the following methods: Using identity theft to convince a MNO shop assistant that they are dealing with the account holder; or by stealing passwords from employees at the mobile operators or mobile dealers. Bill pay cellular users’ SIM cards can be cloned through a helpdesk by answering personal verification questions such as a home address or work number. The situation is more complex for pre-paid customers where the personal verification questions focus on the latest recharges or last numbers called. By using a fake ID document and other fake documents a person can also do a SIM swap at a mobile dealer. If a fraudster gains access (through a stolen password) to a support agent’s account, or that of a mobile dealer assistant, the SIM swap process becomes easy.
·         The SIM swap is typically performed late at night to avoid detection by the victim. Some fraudsters are also encouraging the victim to switch off their cell phone by harassing them with multiple calls.
·         After the phone is switched off, they do the SIM swap without fear of detection. Some mobile operators send an SMS notification that a SIM swap has been requested. To avoid the SIM swap being stopped, the fraudsters either use the above method or call the victim masquerading as a mobile operator employee to tell them the SMS was sent by mistake and should be ignored.
·         Following verification, the original SIM is deactivated and a new one is issued to the fraudster.
·         He then initiates financial transactions from your bank account, details of which he had earlier stolen, and receives payment confirmation requests on the duplicate SIM. Since the original SIM has been deactivated, the real customer remains unaware of the fraudulent transactions being made on their account.



As one security professional noted: “A high proportion of banking customers now have mobile phone numbers linked with their accounts, and so this attack is becoming common in some regions where this attack was not previously so common. Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through successful social engineering.”

Andrew Blaich, a security researcher at Lookout, recently explained in an interview that, “Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through social engineering. It’s a way attackers are attempting to gain access to their target’s cell phone communications. There are many public cases of attackers social engineering their way through a cellular company’s representative to get a SIM card issued for an account the attacker doesn’t own or have access to. It appears to be easy to do as all you need is a willing and susceptible representative at any cellular phone store.”

Mr. Blaich then added: “Once they’ve gained unfettered access to a victim’s phone number, criminals target bank accounts. Many banks will send you a code to log into an account or reset a password to a mobile phone via SMS, which means an attacker committing SIM fraud can request and receive the code and access your bank. Next, SIM fraudsters mask money withdrawals using a parallel system. They create a second bank account under the victim’s name (banks where the victim is already a customer have fewer security checks).”

There have also been a rash of articles detailing how employees of local phone stores have facilitated the scams taking place. Organized crime has used this tactic in many instances around the globe to coerce staff at the low end of the payscale to pass along critical information. All manners of threats of physical harm are used to force compliance with the criminal endeavor.

Can you protect from SIM-Swap scams?

Due to the nature of this scam, it would be extremely difficult to detect it before it happened. What does happen, once the SIM is swapped, is that your phone literally dies — No messages or calls in or out. If your financial account holders have the capability, request alerts in the form of emails, if and when transfers or major withdrawals take place. Alerts to your phone will not work.

Some banks and phone companies are already attacking the issue from a number of other perspectives, too: “There are multiple organizational and technical ways to combat SIM fraud — from introducing user alerting and additional checks for SIM reissuing to sharing knowledge of SIM swap activity between banks and phone companies. Banks can also consider looking for behavioral changes through behavioral analysis technology that can indicate a compromised device. It is possible to check whether your SIM card number and your international mobile subscriber identity (IMSI) are the same. If there is a discrepancy, your bank could contact you by email or landline to check.”



What to do in the event you become a victim of a SIM swap scam?

If you suspect you are the victim of a SIM swap scam, immediately call your mobile network operator for assistance. Be sure to call the right department. They may also have a form on their website for dealing with cases of fraud, which you can fill in, and they will assist you in an investigation of the matter.

Also make sure to call the appropriate department at your bank, and suspend all activity on your bank account, essentially locking it, so that nobody is even able to log in to your online banking profile.

If you are able to, you may consider accessing your online banking account, and changing your password, as well as changing your associated email address and mobile phone number, so the notifications and confirmation SMSes would arrive at a new number and email address. So even if the criminals succeed with the SIM swap operation, the number they have is no longer linked to your bank account. But I would more readily recommend that you just suspend activity on your account, especially in a panic situation or if you are unsure on how to go about doing all of that.

If money ends up getting taken out of your account, then you need to open a case with the police for theft, preferably within 48 hours of the fraudulent transfer or withdrawal of funds having taken place. During this process you may receive documentation from your bank’s claims department, which will aid in the investigation.

You might get your money back, and you might not. The banks claim that recourse depends on the circumstances of each case. In fact, some flat out refuse to reimburse a client, often claiming that it was the client’s fault – that they did something in order to help facilitate the theft. If you are fighting an uphill battle, it may be a good idea to get legal advice on the matter.



Some recommendations

1.       Make sure to become familiar with existing scams by reading appropriate blogs, forums, or articles in the newspaper, so when you see that email or SMS arrive in your inbox, you know it’s bogus.
2.       The first warning signal can be your mobile network. If your phone is out of network continuously for a few hours, it’s an alert, and you should complain to the mobile network operator immediately.
3.       Always make sure you have suitable anti-virus software installed and that your firewall is switched on.
4.       Don’t ever reply to suspicious emails. Your bank would never ask you to enter any confidential information in to an email.
5.       Don’t ever click through on links that may lead you to phishing websites – websites engineered to appear and operate like the official website. They may download a virus on to your PC, just by visiting them, which could serve as another means of obtaining your banking account password(s).
6.       Use your common sense. If you receive an email claiming to be from your bank, ask yourself if this is the same email address associated with your online banking account.
7.       Don’t use publicly visible email addresses for banking. Use a secure, private email address that nobody but you and your bank knows.
8.       Always visit the official website of you bank by typing in the address. Bookmarking the website isn't safe because there are forms of malware that could tamper with bookmarks so that they redirect you to phishing websites.
9.       Only ever try to log in to your online banking profile via the official website. There are ways to make sure that it’s the official website – not only by looking at the URL, but by checking the security certificate, which usually appears in the form of a padlock in your browser. You could even look up the website on a database, which would confirm whether the website is safe or not.
10.   Never disclose your Internet banking password or personal identification number (PIN) to anyone. Even your bank will never ask for this.
11.   Check your banking statements regularly for strange or unusual activity.
12.   Change your online banking passwords frequently. I would suggest at least once every 3 months. And make sure it’s a strong password too.
13.   Don’t answer calls or reply to SMSes from numbers you are not familiar with.
14.   The 20 digits SIM number on the back of your SIM card is top secret, and never share it with anyone.
15.   Even though it may be tempting to put your phone on silent or switch it off when multiple calls come through, it may not be the best idea, as this is exactly what the criminal may want you to do so that you don’t notice anything strange going on with your phone.
16.   Take note of the number the call or SMS came from. You can then look up this number on Google, or even contact your mobile network operator and check with them for more information if you receive a suspicious call or SMS.
17.   Consider joining a bank that gives you better security when it comes to banking, especially with online and cellphone banking. Some banks are known for not being secure with the features they provide. The same could be said for some cellular networks.
18.   If the bank only offers 2-step verification security that relies on using a mobile phone to access your account, then check whether or not you can set a backup number, or an email address where you can at least receive notifications at.
19.   Major carriers in the U.S. offer security that can help protect against SIM card swapping. Use it to secure your account:
a.       AT&T has “extra security,” a feature that requires you provide a passcode for any online or phone interactions with an AT&T customer representative. You can turn it on by logging into AT&T’s web dashboard or the myAT&T app.
b.       Sprint asks customers to set a PIN and security questions when they establish service.
c.       T-Mobile lets subscribers create a “care password,” which it’ll require when they contact T-Mobile customer service by phone. You can set one up by visiting a T-Mobile store or by calling customer care.
d.       Verizon allows customers to set an account PIN, which they can do by editing their profile in their online account, calling customer service, or visiting a Verizon store.



Sources and Additional Information:


Monday, January 28, 2019

Japan, Luxembourg, or Emirates: Which Passport is the Best?


For some people, a passport is a portal to the world. For others, it is a barrier to the travel freedom they seek.

Henley Passport Index

The Henley Passport Index (HPI) is a global ranking of countries according to the travel freedom for their citizens. It started in 2006 as Henley & Partners Visa Restrictions Index (HVRI) and was modified and renamed in January 2018. The site provides a ranking of the 199 passports of the world according to the number of countries their holders can travel to visa-free. The number of countries that a specific passport can access becomes its visa-free 'score'. In collaboration with the International Air Transport Association (IATA), and based on official data from their global database. Henley & Partners has analyzed the visa regulations of all the countries and territories in the world since 2006.

In 2019, Japan’s passport is ranked the strongest in the world for the second year running, allowing visa-free access to 190 countries to an estimated 17.5 million outbound Japanese travelers last year.

Asian countries dominate the index’s top spots, with Singapore and South Korea ranked second, with access to 189 destinations visa-free or visa-on-arrival. China has also jumped 16 places in the past two years, from 85th in 2017 to 69th in 2019.

European countries still fare well, with Germany and France ranked third, with 188; and Denmark, Finland, Italy and Sweden fourth, with 187.

US, sharing its score of 185 with Austria, Netherlands, Norway, Portugal, Switzerland, and UK, ranked sixths.

The past decade has seen a marked decline in many African countries’ rankings, including Sierra Leone, Nigeria, Gambia and South Africa, which have all dropped at least 18 places since 2009. Afghanistan and Iraq hold joint-last place for the third year in a row, with a current visa-free/visa-on-arrival score of 30.

Despite a rising isolationist sentiment in some regions, global mobility is improving, with an increase in visa-free access and mutually beneficial agreements overall. Historical data from the index shows that in 2006, an average passport holder could travel to 58 destinations without needing a visa; by the end of 2018 this number had almost doubled to 107.

“The general spread of open-door policies has the potential to contribute billions to the global economy, as well as create significant employment opportunities around the world,” said Christian H Kälin, chairman of Henley & Partners and index founder. “South Korea and the United Arab Emirates’ recent ascent in the rankings are further examples of what happens when countries take a proactive foreign affairs approach, an attitude which significantly benefits their citizens as well as the international community.”



Passport Index

The competitive data monitoring agency Passport Index will give you completely different story and password ranking trend.

The Passport Index is an interactive online tool that provides users with insights on passports with the ability to compare and rank the world’s passports. Ranking is based on freedom of movement and visa-free travel open to holders. Methodology for its ranking is based on freedom of movement and visa-free travel open to holders.

Surprisingly, here is United Arab Emirates capture the highest ranking – power rank 1. USA passport is ranked 3, and Japanese passport is only ranked 4. May be that is because in 2017, The Passport Index was assigned to monitor the development of the newly launched UAE Passport Force Initiative, with the aim to position the Emirati passport on the list of the five most powerful passports in the world by 2021.

As you see, the target achieved ahead of the schedule.



Nomad Passport Index

The Nomad Passport Index ranks 199 citizenships on five factors, more than any other passport index.
It is designed to show the best citizenships in the world to hold on the basis of visa-free travel, international taxation, perception, dual citizenship, and personal freedom.

It also paints a different picture of the best passports in the World to hold, and neither Japan, USA, or UAE can be seen among top countries.




Sources and Additional Information: