Mobile operators must take more responsibility over our phone security

(Image credit: Image Credit: Totojang1977 / Shutterstock)

So you think you’re pretty security savvy. You use complex passwords for all your online accounts, and you use Two-Factor Authentication via your smartphone for an extra layer of protection when it comes to online banking. You know that this means no-one can access your bank accounts without having physical access to your phone, even if they were in possession of your username and password.

And then you log into your account one day and discover that someone has stolen thousands of pounds from you, and your bank refuses to believe you, as the transaction was made when you were logged into your account. And it must have been you, because they sent a unique access code to your phone which was used to log in.

You might think that pulling off such a crime was the work of super-intelligent hackers, or even an inside job. Then you find out that all the criminals needed to do was to call your mobile phone provider.

This is known as SIM Swap Fraud, and it’s surprisingly easy to undertake. When it’s successful victims might find that their entire life savings have been stolen, with little recourse. With smartphones becoming an essential tool for securing your online banking transactions, it’s a scary thought that a cyber criminal can seize control of your phone quite easily, thanks to the seriously lax security practices of some mobile operators.

How a SIM swap works

Cyber criminals scan the internet for details about you – you have probably posted your full name, address, date of birth, email address and details of key family members over social media at some point. An open Facebook profile can give an attacker clues as to your level of wealth (have you uploaded those pictures of that sailing holiday in the Caribbean yet?) and you’ve probably posted your job title and who you work for on LinkedIn. These give the attackers vital clues which can be used in a SIM Swap fraud against you. And once they’ve managed to discover the username and password combination you use for online banking – either because you fell for a phishing email and gave them away, or they obtained them from a data dump from the security breach of a website where you used the same username and password combination - they’re halfway home. All they need to do now is call your mobile phone operator.

They call and answer a set of pretty easy security questions – many of which they will have obtained through their research – and ask for a new SIM card to replace your existing one. They can use almost any reason for the SIM swap, such as you’ve lost your phone, damaged your existing SIM card, or are upgrading to a different device. Now, you would assume that all mobile operators would make it a prerequisite that any newly ordered SIMs would be sent to the account holder’s address only, but during the research for this article I found that some operators will send the SIM card to any address requested by the caller. Yes, you read that correctly. Any address…

They don’t even have to bother ringing a call centre in some cases. They can just walk brazenly into any High Street branch of your mobile provider, armed with all the information they have about you, and simply ask for a SIM replacement then and there.

Impact of SIM swap scams

Criminals up and down the country have consequently stolen thousands of pounds from people’s bank accounts using the SIM swap scam, and the level of security used by the mobile operators is worryingly low. Richard de Vere of The AntiSocial Engineer has reported on a victim who lost £35,000 in a SIM Swap fraud, when a cyber criminal transferred the money from her account to a bank in Slovakia. He managed to obtain a transcript of the conversation between the criminal and Vodafone’s call centre and, shockingly, the call handler proceeded with the request even though the caller couldn’t give any of the account passwords, memorable words, contacts on the phone, how much the monthly Direct Debit was for the account, or even the victim’s date of birth.  

I mentioned that I was writing this article to a friend, and she immediately called her mobile operator to change the single memorable question the operator used to enable access to her account over the phone – her mother’s maiden name. For an attacker, this would have been easy to deduce given the extensive Facebook and Twitter conversations she has with family. When she called, however, the operative didn’t even understand why she needed to change her security question in the first place. This really demonstrates that some mobile operators are not educating their call centre staff on the risks of fraud to their customers.

Banks have invested heavily in innovative security measures to help secure online banking. It’s in their interests, after all, as they are at risk of not only financial losses but also penalties from the Financial Conduct Authority if their security is found to be wanting. As part of these efforts many banks have successfully implemented two-step authentication processes using mobile phones. However, very few banks are currently able to detect SIM swap fraud as it occurs.

Banks fight back

The technology is catching up - First Direct, for example, have responded to the threat by implementing a voice ID programme. This works by cross-checking the speed, cadence and pronunciation of a voice and compares it to a known voice sample of the genuine customer. It even measures physical aspects such as the shape of larynx, vocal tract and nasal passage to match the caller to their account. Since it was introduced First Direct have estimated that the system has prevented in excess of 1,600 attempted frauds. It’s been so successful that the technology has been adopted by parent firm HSBC, and Barclays has also introduced a similar scheme.

But why is all the responsibility falling on the banks? Why is it so easy for a fraudster to get a SIM swapped in the first place? Why are the mobile operators themselves not investing in voice recognition technology to prevent fraud? Is it simply because they face almost no sanctions or financial penalties from SIM swap fraud, unlike the banks? Surely Ofcom, in conjunction with the Information Commissioner’s Office, should be insisting on tighter security controls within these companies.  

The lack of progress within these companies is astounding. They should all now be actively tightening processes and guidelines on how to detect potentially fraudulent activity. They should be training call centre, online and onsite shop staff better on recognising the signs of potentially fraudulent activity, such as when someone might potentially be impersonating a customer. They should only be sending SIMs to the registered account holder’s address. They should be investing in better security technology and stop relying on ‘security’ questions that can be easily answered by a fraudster scanning a Facebook page. They should be making better use of the data around customers’ device type, location and consumer behaviour to proactively identify possible threats. Why are they seemingly incapable of achieving these measures?

Mobile operators role

Rather than leaving the banking industry to do all the heavy lifting in the war against cyber crime, mobile operators must step up their game and play their part to combat mobile phone-based crime. They must work in conjunction with the banks, the National Crime Agency, the National Cyber Security Centre, Ofcom and the ICO to mitigate risks. They must not be afraid of GDPR and share data appropriately – after all, isn’t it in the best interests of their customers to do all they can to prevent fraud?  Just making historical customer data available for lookup by a bank’s fraud prevention solutions, for example, would make a huge difference.

If you are a victim of SIM swap fraud, don’t take it lying down. Exercise your rights under GDPR to obtain data from your mobile operator by sending them a Subject Access Request to discover what they know about the incident – they will often have more information than they let on. Don’t accept your bank trying not to refund you – contact Citizen’s Advice and complain to the FCA if you have to.

We all have a role to play in combatting cyber crime – and no organisation or industry should be allowed to bury their head in the sand and pretend that it has nothing to do with them. Until then, I suggest talking to your mobile operator and demanding that, as a minimum, they change the security questions they ask you to ones that are more complicated for a fraudster to obtain, and demand that any new SIM card is only sent to your home address. These measures are not perfect, but the mobile operators must do more to protect their customers from fraud.

Vince Warrington, Founder of Protective Intelligence

Vince Warrington

Vince Warrington is a Cyber Security & Information Assurance professional and CEO of Protective Intelligence, with a passion for changing attitudes towards how we protect our data, whether that be on a professional or personal level.His aim is to move businesses, charities and government departments away from traditional IT Security to a model where everyone in the organisation works towards the common goal of protecting information through joint responsibility and coordinated thinking.