These SIM Swap scams....how worried should we be??

Sea_Shell

Morning All

Now i'm sure you've all read the stories recently about these scams, and how people have watched their money being withdrawn from under their noses....mainly TSB customers at the moment (for obvious reasons). I don't fully understand what's going on here but realistically how easy it it for the crims to do this....surely they must have some other intel gleaned from somewhere...rather than picking victims at random.

Surely they initially need to know...
Who you bank with (have they found a copy statement, etc)
Who your mobile network provider is (how would they know this)
What your mobile number is (widely available, as given out all the time)

Even if they know all this, they still need your User ID and password, but as i understand it, these can be easily obtained too, if they've got access to your mobile and your account details.

Is mobile app banking more at risk than PC based banking, on secure, private WiFi.

Have the people targeted somehow given away more information than they realise, or have they been the victim of a phishing scam too, enabling the SIM scam to also happen?

I try and be super-suspicious of any corresponce I have with banks, either by text, phone or e-mail, and we shread all documents with any personal information on and i don't put my whole life on FB...but what else can we do to protect ourselves.

It would appear that you can have "uncrackable" passwords etc, but the scammers can just log on, and have them re-set and start withdrawing money.:eek:

Anyone else just a teeny bit worried about this??

[Deleted User]

I'm not worried in the slightest - people need to have common sense (which is sorely lacking sometimes it seems!)

Don't open attachments in emails. In fact, have your emails in plain text only - it's obvious then if it is a phishing attempt.

Have robust passwords that are unique for each account

Use 2 factor authentication as much as you can

Most banks use secure messaging inside the app now. I've not heard of a case where the app itself has been compromised.

EachPenny

Sea_Shell wrote: »

Now i'm sure you've all read the stories recently about these scams, and how people have watched their money being withdrawn from under their noses....mainly TSB customers at the moment (for obvious reasons).

It's a small point, but we are hearing about TSB customers at the moment because of the problems TSB are having, and therefore a 'horror' story about a customer having £10k's of money taken from an account becomes newsworthy.

What we are not hearing about is all the customers of other banks having £100's, £1k's and £10k's taken from their accounts on a daily basis, because as far as the media is concerned, that isn't newsworthy, unless you also happen to be a celebrity.

Early on in one of the other TSB threads I made the point that people having their cards declined, or being unable to log in to online banking is all part of the daily churn of problems people experience, and no doubt some of the problems TSB customers had would have happened regardless of the IT upgrade.

The same goes for the kind of fraud referred to in the OP - it happens all the time. We are only reading about it in the news at the moment because [STRIKE]journalists[/STRIKE] people paid a pittance to scan social media are finding it a very easy way to produce copy which attracts thousands of 'clicks'.

Whether there is a specific issue with TSB (i.e. a data breach) remains to be seen, although I suspect if there had been one we would know about it by now. The main issue with TSB seems to be the difficulty of contacting their fraud department, which perhaps gives the fraudsters a slightly better chance of success than normal.

masonic

Sea_Shell wrote: »

Surely they initially need to know...
Who you bank with (have they found a copy statement, etc)
Who your mobile network provider is (how would they know this)
What your mobile number is (widely available, as given out all the time)

For who you bank with, most banks send emails to their users, so compromise of your email account would be a big window into this information. Social media might also give it away - if you tweet at your bank or interact with them on facebook etc. Sort code will give it away, so any company you have a direct debit with or have transferred money to could potentially give that away if they have a data breach. Also, anyone who you have written a cheque or has been able to get a glance at your debit card would potentially know this. - And of course, if your bank happens to be TSB they might have exposed your details to other users.

For mobile network provider, if they know your mobile number then potentially they can find this out via voicemail services (for example by trying to check your voicemail from a different phone), or by trial and error (there aren't many providers). Also social media and email as above.

Even if they know all this, they still need your User ID and password, but as i understand it, these can be easily obtained too, if they've got access to your mobile and your account details.

Yes, they'd probably also need your date of birth and at some banks the answer to a security question like your mother's maiden name.

Is mobile app banking more at risk than PC based banking, on secure, private WiFi.

Providing it is properly secured (WPA2 with a strong password) then it's probably no less secure. If someone was able to break in and monitor the traffic then they could potentially see who you banked with by monitoring where internet traffic was going, but not much else - the apps all use encrypted connections.

Have the people targeted somehow given away more information than they realise, or have they been the victim of a phishing scam too, enabling the SIM scam to also happen?

Almost certainly they've been the victim of a data breach at some point, but millions of people in the UK have and most of them don't know it.

Anyone else just a teeny bit worried about this??

If you fall victim to this sort of fraud, as long as you didn't in any way assist the transfers (either by making them or by providing security codes to a fraudster from your phone), then it is the bank who will ultimately lose money, not you.

One precaution I think everyone should take is not to put all their eggs in one basket (bank). Having several accounts with different banks and savings held in different places means the impact of one of your accounts being compromised is minimised and you can patiently wait for the bank to sort it our and refund you without having to worry about not having access to funds and banking facilities.

masonic

camelot1971 wrote: »

Use 2 factor authentication as much as you can

Yes, proper 2 factor authentication (an app on your phone, or a separate security device).

Not anything along the lines of 'so you want to reset your password and security information, we'll send you a text message to confirm it is you making the request'.

Or 'so you want to set up a new payee, we'll give you a quick automated call on your mobile to prove it's you'.

That's the basis of these SIM swap attacks.

DCFC79

Sea_Shell wrote: »

Surely they initially need to know...
Who you bank with (have they found a copy statement, etc) I get statements on line and any I do get sent eg a yearly 1 for a savings account I shred since I can access the account online


Who your mobile network provider is (how would they know this)
What your mobile number is (widely available, as given out all the time) I get all my statements online so no mobile phone bills get sent to my address

Even if they know all this, they still need your User ID and password, but as i understand it, these can be easily obtained too, if they've got access to your mobile and your account details.

No 1 other than me has access to my phone. Its either on me at work/when out or on the table at home. I dont post my number on facebook either, no dodgy apps downloaded.

Is mobile app banking more at risk than PC based banking, on secure, private WiFi.

The majority of times Ive accessed the banking apps has been on wifi, couple of times Ive used my 4G connection.

Have the people targeted somehow given away more information than they realise, or have they been the victim of a phishing scam too, enabling the SIM scam to also happen?


Maybe they are lax in what they throw away eg dont shred bank statements, headed letters with name address on. I think it was an episode of Spooks where I saw someones details being gathered.
Posting way too much on Facebook its either being too lax/not thinking of the damage or just plain stupid) is an example eg posting what your pets name is as this can be a security question.


I try and be super-suspicious of any correspondence I have with banks, either by text, phone or e-mail, and we shread all documents with any personal information on and i don't put my whole life on FB...but what else can we do to protect ourselves.


Keep an eye on your bank accounts, whether its daily or weekly and whether its the mobile banking or a PC/Laptop/Tablet, don't know why but I don't access my accounts on my tablet but I put that down to finding a proper keyboard easier to enter passwords etc.

If you do receive a call that's supposedly from your bank and your unsure if it is the bank don't then call your bank on the same phone, use a mobile if you can.

Ive even gone to certain lengths of adding a known number to my phones contacts so I know its the bank (might get told its a bad idea but its worked so far).



It would appear that you can have "uncrackable" passwords etc, but the scammers can just log on, and have them re-set and start withdrawing money.:eek:
If you don't open emails and download the attachment and login they shouldn't get your login details.


Anyone else just a teeny bit worried about this??

Am I worried, I'm a little worried about TSB security (not much in the accounts but still its a concern), if they aren't fixed would TSB be rapped on the knuckles by FCA ?

Not having just 1 account is just bad imo and keeping a huge chunk of money in 1 account is also a wrong move imo.

Shakin_Steve

Mobile phone providers should also bear some responsibility for this. A sim swap fraud cannot work without a sim swap.

EachPenny

DCFC79 wrote: »

No 1 other than me has access to my phone. Its either on me at work/when out or on the table at home.

That's the point of this thread - the fraudster doesn't need your phone, they just need to know your number and figure out the provider. They then contact the provider, obtain a new SIM, and get your number transferred onto a phone they are using. You still have your physical phone, but they have its functionality.

DCFC79 wrote: »

Am I worried, I'm a little worried about TSB security (not much in the accounts but still its a concern), if they aren't fixed would TSB be rapped on the knuckles by FCA ?

In terms of security TSB are no better nor worse than most other banks. As I've said elsewhere, this is not really a TSB issue, it is a mobile phone company issue (and bank's reliance on customer mobile phone security).

EachPenny

masonic wrote: »

Yes, they'd probably also need your date of birth and at some banks the answer to a security question like your mother's maiden name.

This being obtainable (for anyone born 1911-1982 approx) in seconds to anyone capable of typing "f r e e b m d dot o r g dot u k" into a web browser. The exact date of birth can be obtained by applying for a certificate, and details for people born after 1982 are freely available on other sites.

There is absolutely no excuse for any organisation to still use mother's maiden name as any kind of 'security' question. (and if you are asked for this, don't use the real one)

DCFC79

EachPenny wrote: »

That's the point of this thread - the fraudster doesn't need your phone, they just need to know your number and figure out the provider. They then contact the provider, obtain a new SIM, and get your number transferred onto a phone they are using. You still have your physical phone, but they have its functionality.


In terms of security TSB are no better nor worse than most other banks. As I've said elsewhere, this is not really a TSB issue, it is a mobile phone company issue (and bank's reliance on customer mobile phone security).

I read the thread about TSB and the OP's son losing money, astonishing how it happened.

DCFC79

EachPenny wrote: »

This being obtainable (for anyone born 1911-1982 approx) in seconds to anyone capable of typing "f r e e b m d dot o r g dot u k" into a web browser. The exact date of birth can be obtained by applying for a certificate, and details for people born after 1982 are freely available on other sites.

There is absolutely no excuse for any organisation to still use mother's maiden name as any kind of 'security' question. (and if you are asked for this, don't use the real one)

I was thinking the same. Should really be changed.