As banking services expand online and away from the brick-and-mortar branch, banks have had to implement new identification procedures to protect accounts against identity theft and fraud. New security challenges have arisen with this move, however. Banks must ensure that the user logging in is who they say they are, and often this requires more than just the traditional pin and password.
For instance, many banks choose to sync accounts with customers’ mobile numbers. This way, banks can send a text with account details to a customers’ phone which would allow them to log in or update their details. This way banks know that it is a legitimate access attempt. However, this does not consider that SIMs suffer from identification vulnerabilities. Unlike behavioral or physiological biometrics, there is little in a mobile number or SIM card to tie it to an individual’s identity. By overlooking this detail, banks have opened the possibility for hackers to access their customers’ accounts through a process called SIM swap fraud.
SIM swapping is a sophisticated form of fraud and falls under social engineering. Fraudsters will distribute phishing emails, trying to ascertain as much personal information from victims as possible. For example, they will pose as credit card companies, supermarkets or health insurers and try to retrieve details such as legal names, dates of birth, addresses and phone numbers. Alternatively, they might use information from social media, public websites or data dumps from criminals. Using this information, they will impersonate their victims and contact mobile operators to claim that they have lost or damaged their SIM, and request a new one with the same mobile number.
Once the fraudster has access to the victim’s mobile number, they target bank accounts. Knowing that certain banks will tie the mobile number to the customer, they request new login details to be sent through text message. And therefore, gain full access to an account. From here, they can complete the scam and transfer your funds into their own account.
To avoid falling victim to this scam, users should:
- Always exercise caution when revealing personal information online
- Use authenticator apps or services which encrypt messages and are not tied to your SIM
- Avoid using SMS as the primary form of authentication with their bank
- Check with your mobile operator to see if any new SIM cards have been issued without your knowledge
Have you had a narrow escape with SIM swap fraud? Let us know in the comments below or by tweeting us @JustAskGemalto.