Saturday, February 16, 2019

20 Recommendations on how to protect yourself from mobile phone SIM Card swap fraud


What exactly is a “SIM-Swap” scam?

Here is one definition: “SIM Swap fraud (also known as Port-Out scam or SIM splitting) is a type of account takeover fraud that generally targets a weakness in two-factor authentication & two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud exploits a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM destination. This feature is normally used where a customer has lost or had their phone stolen.”

This type of fraud is not new. It has been with us for three years, but volume levels have been low. It appears that the specifics of this con game have been shared with the global community of organized crime, judging from the recent preponderance of articles in various jurisdictions about this type of crime. Victims, if they have the courage to report the crime, and 85% elect not to, based on present estimates, have witnessed their financial accounts, whether banking, trading, or crypto, suddenly drop to zero. Law enforcement officials now report a 60% increase from prior complaint levels.



How does this type of fraud work?

This process goes in several steps. The worst part of this fraud is that you may be targeted long before the actual crime takes place.

·         A fraudster obtains your bank account details and registers your mobile phone number through phishing or malware.
·         He approaches your mobile service provider with your fake identity proof and, claiming loss of handset or SIM damage, seeks a duplicate SIM card.
·          A SIM swap typically happens using the following methods: Using identity theft to convince a MNO shop assistant that they are dealing with the account holder; or by stealing passwords from employees at the mobile operators or mobile dealers. Bill pay cellular users’ SIM cards can be cloned through a helpdesk by answering personal verification questions such as a home address or work number. The situation is more complex for pre-paid customers where the personal verification questions focus on the latest recharges or last numbers called. By using a fake ID document and other fake documents a person can also do a SIM swap at a mobile dealer. If a fraudster gains access (through a stolen password) to a support agent’s account, or that of a mobile dealer assistant, the SIM swap process becomes easy.
·         The SIM swap is typically performed late at night to avoid detection by the victim. Some fraudsters are also encouraging the victim to switch off their cell phone by harassing them with multiple calls.
·         After the phone is switched off, they do the SIM swap without fear of detection. Some mobile operators send an SMS notification that a SIM swap has been requested. To avoid the SIM swap being stopped, the fraudsters either use the above method or call the victim masquerading as a mobile operator employee to tell them the SMS was sent by mistake and should be ignored.
·         Following verification, the original SIM is deactivated and a new one is issued to the fraudster.
·         He then initiates financial transactions from your bank account, details of which he had earlier stolen, and receives payment confirmation requests on the duplicate SIM. Since the original SIM has been deactivated, the real customer remains unaware of the fraudulent transactions being made on their account.



As one security professional noted: “A high proportion of banking customers now have mobile phone numbers linked with their accounts, and so this attack is becoming common in some regions where this attack was not previously so common. Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through successful social engineering.”

Andrew Blaich, a security researcher at Lookout, recently explained in an interview that, “Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through social engineering. It’s a way attackers are attempting to gain access to their target’s cell phone communications. There are many public cases of attackers social engineering their way through a cellular company’s representative to get a SIM card issued for an account the attacker doesn’t own or have access to. It appears to be easy to do as all you need is a willing and susceptible representative at any cellular phone store.”

Mr. Blaich then added: “Once they’ve gained unfettered access to a victim’s phone number, criminals target bank accounts. Many banks will send you a code to log into an account or reset a password to a mobile phone via SMS, which means an attacker committing SIM fraud can request and receive the code and access your bank. Next, SIM fraudsters mask money withdrawals using a parallel system. They create a second bank account under the victim’s name (banks where the victim is already a customer have fewer security checks).”

There have also been a rash of articles detailing how employees of local phone stores have facilitated the scams taking place. Organized crime has used this tactic in many instances around the globe to coerce staff at the low end of the payscale to pass along critical information. All manners of threats of physical harm are used to force compliance with the criminal endeavor.

Can you protect from SIM-Swap scams?

Due to the nature of this scam, it would be extremely difficult to detect it before it happened. What does happen, once the SIM is swapped, is that your phone literally dies — No messages or calls in or out. If your financial account holders have the capability, request alerts in the form of emails, if and when transfers or major withdrawals take place. Alerts to your phone will not work.

Some banks and phone companies are already attacking the issue from a number of other perspectives, too: “There are multiple organizational and technical ways to combat SIM fraud — from introducing user alerting and additional checks for SIM reissuing to sharing knowledge of SIM swap activity between banks and phone companies. Banks can also consider looking for behavioral changes through behavioral analysis technology that can indicate a compromised device. It is possible to check whether your SIM card number and your international mobile subscriber identity (IMSI) are the same. If there is a discrepancy, your bank could contact you by email or landline to check.”



What to do in the event you become a victim of a SIM swap scam?

If you suspect you are the victim of a SIM swap scam, immediately call your mobile network operator for assistance. Be sure to call the right department. They may also have a form on their website for dealing with cases of fraud, which you can fill in, and they will assist you in an investigation of the matter.

Also make sure to call the appropriate department at your bank, and suspend all activity on your bank account, essentially locking it, so that nobody is even able to log in to your online banking profile.

If you are able to, you may consider accessing your online banking account, and changing your password, as well as changing your associated email address and mobile phone number, so the notifications and confirmation SMSes would arrive at a new number and email address. So even if the criminals succeed with the SIM swap operation, the number they have is no longer linked to your bank account. But I would more readily recommend that you just suspend activity on your account, especially in a panic situation or if you are unsure on how to go about doing all of that.

If money ends up getting taken out of your account, then you need to open a case with the police for theft, preferably within 48 hours of the fraudulent transfer or withdrawal of funds having taken place. During this process you may receive documentation from your bank’s claims department, which will aid in the investigation.

You might get your money back, and you might not. The banks claim that recourse depends on the circumstances of each case. In fact, some flat out refuse to reimburse a client, often claiming that it was the client’s fault – that they did something in order to help facilitate the theft. If you are fighting an uphill battle, it may be a good idea to get legal advice on the matter.



Some recommendations

1.       Make sure to become familiar with existing scams by reading appropriate blogs, forums, or articles in the newspaper, so when you see that email or SMS arrive in your inbox, you know it’s bogus.
2.       The first warning signal can be your mobile network. If your phone is out of network continuously for a few hours, it’s an alert, and you should complain to the mobile network operator immediately.
3.       Always make sure you have suitable anti-virus software installed and that your firewall is switched on.
4.       Don’t ever reply to suspicious emails. Your bank would never ask you to enter any confidential information in to an email.
5.       Don’t ever click through on links that may lead you to phishing websites – websites engineered to appear and operate like the official website. They may download a virus on to your PC, just by visiting them, which could serve as another means of obtaining your banking account password(s).
6.       Use your common sense. If you receive an email claiming to be from your bank, ask yourself if this is the same email address associated with your online banking account.
7.       Don’t use publicly visible email addresses for banking. Use a secure, private email address that nobody but you and your bank knows.
8.       Always visit the official website of you bank by typing in the address. Bookmarking the website isn't safe because there are forms of malware that could tamper with bookmarks so that they redirect you to phishing websites.
9.       Only ever try to log in to your online banking profile via the official website. There are ways to make sure that it’s the official website – not only by looking at the URL, but by checking the security certificate, which usually appears in the form of a padlock in your browser. You could even look up the website on a database, which would confirm whether the website is safe or not.
10.   Never disclose your Internet banking password or personal identification number (PIN) to anyone. Even your bank will never ask for this.
11.   Check your banking statements regularly for strange or unusual activity.
12.   Change your online banking passwords frequently. I would suggest at least once every 3 months. And make sure it’s a strong password too.
13.   Don’t answer calls or reply to SMSes from numbers you are not familiar with.
14.   The 20 digits SIM number on the back of your SIM card is top secret, and never share it with anyone.
15.   Even though it may be tempting to put your phone on silent or switch it off when multiple calls come through, it may not be the best idea, as this is exactly what the criminal may want you to do so that you don’t notice anything strange going on with your phone.
16.   Take note of the number the call or SMS came from. You can then look up this number on Google, or even contact your mobile network operator and check with them for more information if you receive a suspicious call or SMS.
17.   Consider joining a bank that gives you better security when it comes to banking, especially with online and cellphone banking. Some banks are known for not being secure with the features they provide. The same could be said for some cellular networks.
18.   If the bank only offers 2-step verification security that relies on using a mobile phone to access your account, then check whether or not you can set a backup number, or an email address where you can at least receive notifications at.
19.   Major carriers in the U.S. offer security that can help protect against SIM card swapping. Use it to secure your account:
a.       AT&T has “extra security,” a feature that requires you provide a passcode for any online or phone interactions with an AT&T customer representative. You can turn it on by logging into AT&T’s web dashboard or the myAT&T app.
b.       Sprint asks customers to set a PIN and security questions when they establish service.
c.       T-Mobile lets subscribers create a “care password,” which it’ll require when they contact T-Mobile customer service by phone. You can set one up by visiting a T-Mobile store or by calling customer care.
d.       Verizon allows customers to set an account PIN, which they can do by editing their profile in their online account, calling customer service, or visiting a Verizon store.



Sources and Additional Information: