cancel
Showing results for 
Search instead for 
Did you mean: 

Sim Hijacking

Jules63
Level 1: Joiner
  • 9 Posts
  • 2 Topics
  • 0 Solutions
Registered:

Hi,

 

I wanted people's thoughts on the problem of phone-identity hijacking..

 

I know someone who had his account hijacked recently. Someone walked into a Vodafone store with fake ID, we think a driving licence (easily obtainable on the net for about £25) and somehow the staff arranged to issue a new sim for him.

 

My friend did notice his phone went dead but did nothing for a couple of days (hey, it's Vodafone...).

Meanwhile, by intercepting OTP codes sent to the new sim, the thief took over £25,000.

 

Now my bank wants me to accept similar account-access OTP codes sent to my O2 mobile for the first time......

 

I called O2 and they confirmed there was nothing they could do to stop someone with fake ID from obtaining a sim as photo-ID would override any other security put on the account like passwords or memorable data etc which the customer might forget. There is therefore a risk that a sim could be fraudulently obtained.

 

AT&T in the USA have now put in place measures against this sim-swap hijacking by, I believe, an optional PIN the customer can place on the account without which a new sim will never be issued, ID or no ID.

 

Am I right to be worried about this? It seems a huge banking vulnerability as these OTP codes are the final guarantee to your bank that it is really you. My bank is only offering OTP codes, no apps etc.

Message 1 of 20
4,979 Views
19 REPLIES 19

Jules63
  • 9 Posts
  • 2 Topics
  • 0 Solutions
Registered:

Thanks for your interesting replies.

 

I am of course wary of turning this posting into a sim-swappers' handbook, but I would really like assurance that this kind of fraud is no longer possible now that 2-factor authentication via sms will be so prevalent. 

 

Let's say a (real or fake) O2 contract customer loses their sim, so phones up O2 "I've forgottten my password and memorable answers - sorry, I was in a bad road accident last year and it affected my memory....blag blag blag etc".  Would the operator not ask the customer to go to an O2 shop with photo ID? I think we should be told. 

 

O2 should issue worried customers, who opt-in to the scheme, a sim-swap pin without which a swap is not possible no matter what ID comes through the O2 shop door (so better keep it safe!). It's a simple low-cost idea and would stop the problem would it not?

 

 

Message 11 of 20
2,901 Views

Anonymous
Not applicable

Companies are relying way too much on mobile phone based authentication, whether it be SMS or authenticator type apps.

 

The banks I use issue a card reader on one and a pin pad on the other, the bank that issues the pad asked me did I want to use the version in their app and I said no thanks, send me a device please or I'll move.

 

It's cheap for them and supposedly convenient for the customer but just shifts the liability.

 

Also have to use this type of authentication for some stuff at work which I'm not particularly happy about but had a discussion with someone at work who bought into the whole app based bank nonsense, until their phone went missing that is.

 

It's a fine balance between convenience and security but when dealing with finances I'd prefer security but that's just me.

Message 12 of 20
2,891 Views

Jules63
  • 9 Posts
  • 2 Topics
  • 0 Solutions
Registered:

Techtamer I very much agree with you.

 

I have a pin-pad for one of my bank accounts and I doubt anyone could blag a replacement one from my bank whose security is better than a mobile network's, but I suspect that my bank will stop issuing pin-pads in favour of their (currently optional) app and if you don't have the app I guess you can't login on your phone unless you carry the pin-pad with you so I guess the app might win one day.

 

To be clear though, you would not get app access to a bank account by blagging a sim swap in an O2 shop; you would need further passwords to log in to the app no doubt. 

 

I am really talking about 2-factor authentication (2FA) by sms in these posts and one of my banks is only offering this method for 2FA. They did however assure me that it would be "quite safe as they would only send an sms if a login attempt was made from an unrecognised computer".

 

Where else do they think a thief would be logging in from?

 

Mobile phone compaines are now faced with doing, effectively, the banks' security checks for customers who use sms-based 2FA and they are not very good at it - sorry but most people working in mobile phone shops are young and perhaps less sceptical of possibly fraudulent approaches than those of us who have more experience of life. 

 

Look what happened when the BBC actually tested mobile phone companies' security procedures:

 

https://www.bbc.co.uk/news/business-46047714

 

Crikey.....

 

 

Message 13 of 20
2,884 Views

EmilieT
  • 5434 Posts
  • 304 Topics
  • 65 Solutions
Registered:

@Jules63 I'm very sorry to hear about what happened to your friend confused I'll check what I can find out on my end on this matter and will post more info here as and when I have any!

 

Cheers everyone for the advice, very useful and interesting @Bambino @MI5 @PhoneChanger @Anonymous slight_smile

Access for You: Registration - Find out how to register for our Access for You service.
Want to chat with other fellow-minded members? Head to our Off-topic section for some interesting chit-chat.
Check out our Priority board for tickets & offers updates, and to discuss all things Priority-related!
Welcome to O2! - New to O2? Find out all you need to know to get started!


If you'd like to take part, why not register? slight_smile
signature

Message 14 of 20
2,872 Views

Anonymous
Not applicable

Doesn't look like there's any protection for PAYG users though considering there's no requirement to register an address.

 

 

Message 15 of 20
2,841 Views

EmilieT
  • 5434 Posts
  • 304 Topics
  • 65 Solutions
Registered:

Hi everyone, 

 

I've just had a look on our end and found out some more info that I hope you'll find useful slight_smile

 

For security reasons we can’t reveal the precise measures, checks and processes we have in place to tackle fraud on our network, but we can confirm that O2 takes customers security very seriously and have processes to protect our customers from any fraudulent activity. We can assure you we have strict controls in place to prevent any fraudulent activity around SIM management/changes in our stores, call centres and online. However, should customers have any concern around any changes to their account or mobile phone, they should contact customer service immediately.

Access for You: Registration - Find out how to register for our Access for You service.
Want to chat with other fellow-minded members? Head to our Off-topic section for some interesting chit-chat.
Check out our Priority board for tickets & offers updates, and to discuss all things Priority-related!
Welcome to O2! - New to O2? Find out all you need to know to get started!


If you'd like to take part, why not register? slight_smile
signature

Message 16 of 20
2,830 Views

Jules63
  • 9 Posts
  • 2 Topics
  • 0 Solutions
Registered:

Much as I appreciate the answer from EmilieT, I find myself unreassured by an assertion that strict anti-hijacking measures are in place but O2 can't say what they are. The BBC don't think they work too well; talking about security checks in the article I mentioned, the BBC says of their attempts to sim-swap at O2 shops...

 

...that did not happen with any of the numbers being used by the Watchdog Live team, who were able to walk out with a replacement Sim in almost every case.

 

As far as I can see, no measures are currently being undertaken which will counter someone walking in to an O2 shop with a fake photo ID, which O2 told me on the phone would indeed trump all other security requirements or questions.  

 

It would be naive to think that thieves can't simply google for a fake UK driving licence, they are sadly easy to obtain. 

 

I invite O2 to set up a further optional layer of security, possibly a PIN, known only to O2 and the customer, without which a sim swap will never be authorised. It is a low-cost option and I'll definitely sign up for it. This would stop the fake-ID approach dead, or does anyone else have an idea how to stop this fraud?

 

 

Message 17 of 20
2,820 Views

Anonymous
Not applicable

@Jules63 

 

There would have to be a contingency for a forgotten PIN and therein lies the flaw.

 

If you can frustrate the scum doing this they'll stop bothering but the customer will have to take a bit of pain too.

 

Here's how it should work.

 

All accounts (PAYG and Contract) need to have a registered address and the people need to appear on the electoral role, if the user is a minor, this needs to be a parent or guardian, no verification, no service, if the person is homeless they need to obtain some sort of documentation from the Council or a charity such as Shelter vouching for them, the store need to verify this with the issuing authority, seeing it and taking it as valid is not enough now.

 

Any SIM swaps should not be done in store, apply for one but the SIM should be posted to the registered address but there should be a delay of 7 days before this happens, in the meantime a message should be sent to the phone, if the customer replies the process stops and is voided, if no response is received, process continues and SIM is despatched unless they can produce verifiable documentation as mentioned above.

 

I know this sounds a bit draconian but the criminals seem to be running rings around those of us that aren't.

 

Message 18 of 20
2,788 Views

davethorp
Level 21: Regular
  • 1035 Posts
  • 11 Topics
  • 38 Solutions
Registered:

The banks should be refunding in situations like this under a code of practice that most major banks have agreed to

 

https://www.moneysavingexpert.com/news/2019/05/more-protection-for-money-transfer-scam-victims-from-...

 

I'd imagine EE customers may fall victim to this as you can get a sim swap in store on EE if you have photo ID. I have heard of one or two instances of this happening to people on EE

 

Like @Anonymous I'm not keen on the banks relying on OTPs as authentication which is only going to get worse in September when most banks will start using them to verify card transactions online. My main line is currently on EE and I have a technical issue at the moment where OTPs are not coming immediately through to me but will instead come through in batches hours if not days after they are generated meaning they are currently useless to me as by the time I get them they have expired. Hopefully EE fix this soon otherwise I'm going to have to change my phone number with banks to a number on another network (and may need a OTP to do this which will be a ballache)

 

A few of my banks are switching towards using their mobile apps as authentication which I prefer to SMS

Message 19 of 20
2,756 Views

Jules63
  • 9 Posts
  • 2 Topics
  • 0 Solutions
Registered:

Techtamer, thanks for some very interesting ideas.

 

It would cause a lot of bad feeling if say a business-owner who has a broken sim has to do without a replacement for 7 days. That would be expensive for them, and a delay in sending the sim would merely increase the chance of a fraud being detected whereas I want it stopped.

 

I do take your point about using the Council and Shelter as references but Councils have been notoriously bad at being defrauded by bogus claimants, so their checks aren't up to much, and I fear Shelter don't ask too many questions of people who approach them, these can be people with next to no ID who can say they are whoever they like.

 

Biometrics may eventually be the only way forward to prove ID.

 

Perhaps provide your network with a fingerprint in store when you buy a phone, or afterwards, to enhance any existing security; the technology exists in many handsets today so it is a simple thing to do. That would certainly stop a sim thief, or have O2 keep a photo of you, if you wish that. Again, the biometric account-lock would be an optional addition to an account, but a recommended one.

I think we're agreed the current system is a bit of a farce and needs revising because this fraud is going on today.................and nobody is paying attention.

 

Banks have rather naughtily forced this situation on the mobile networks and us by using our phones for bank-account-access passcode delivery. Eventually, passcodes via SMS should be stopped, as that is linked to the sim, a duplicable item, whereas an authenticator app like Authy is a handset thing.

I am also concerned that mobile networks may be acting in breach of data-protection regulations in that they may facilitate access to a customer's personal banking accounts through a known-to-be lax system of identity checks and in this matter they may in future have some legal liability for any losses, perhaps vicariously with banks themselves who are using sms knowing it to be insecure. Tesco Bank actually say in their own terms and conditions that sms is not secure, page 4: "As text and email are not secure channels, we’ll only include generic information".

 

I'm sure many people will google for and find these postings in future - I just hope they haven't lost a lot of money.

 

Message 20 of 20
2,741 Views