These SIM Swap scams....how worried should we be??

eDicky

masonic wrote: »

SIM swap is a service provided by mobile phone networks to keep your phone number when you sign up with a new provider. People like to keep the same number when they change provider and that is where this service has come from.

A SIM swap attack usually starts with the fraudster calling the network provider pretending to be a customer (or breaks into the customer's online account) to request a PUK code (Personal Unlocking Key) that enables them to sign up a new account and transfer the mobile phone number. Phone providers have been subject to regulation in order to remove as many barriers to customers switching provider as possible, and this had probably made it easier for the fraudsters.

A bit of confusion here, I think.

A PAC (Porting Authorisation Code) is obtained from your mobile network provider in order to transfer your phone number to a new provider.

The PUK, (Personal Unblocking Key, PIN Unlock Key, etc.) is used to unblock your SIM when you have entered an incorrect lock PIN too many times.

A new SIM to replace one that's lost or damaged can be obtained from your network, by ordering online or by phone or by walking into their high street shop. The lack of security in this process that fraudsters take advantage of, thereby taking over the target's phone service with the new SIM fitted in a handset, is, as I understand it, the most common method of 'SIM Swap' fraud.

masonic

eDicky wrote: »

A bit of confusion here, I think.

Yes, thanks. I was getting my acronyms mixed up.

I'm sure you are right that a SIM swap to another by the same provider is most common. Come to think of it I had to do this not so long ago because I bought a new phone and had to change from a micro-SIM to a nano-SIM. I'm sure there are quite a few excuses that could be used.

Sea_Shell

Thanks for all the information, i do feel reassured (i think!?!)

I never open 'odd' looking e-mails, they get moved straight to spam.
I have paperless billing/statements on most accounts, so not much paper to shred.
I log in to my Internet banking regularly, and have multiple accounts so not reliant on any one of them. Although if our main "hub" account was breached, that would be a right pain.
I will ensure to keep a beady eye on my mobile phone signal.
I'm going to see if I can find out what my MPP have by way of security if a SIM swap is requested.
I'll continue to not post stuff on FB, and will also remove any 'likes' I have to financial institutions.

Like a few of you have mentioned, this is probably happening on a smaller scale every day to lots of people, but goes unreported (to the wider world).

I think the MPP's have to step up their game to ensure that a SS request is challenged and verified.

Surely just a quick call back or text to the number asking to be moved would help...then at least you'd have the chance to say, NO, I did not request this!!!! (as you'd still be in possession of your number at this point)

Also have others have said....there must be more to some of these stories too....somehow they must surely have given something away to somebody, whether they realise or not.

Good to know though that in a genuine case of fraud, the bank will recompense you.

marlot

RG2015 wrote: »

Yes, I am a bit lost myself.

How exactly can my SIM be swapped and then someone reset all my banking credentials?

Surely I would notice if my mobile phone stopped working.

You might. But if you're in the home and your phone is connected to wifi, you might not? Or you might assume that the local mast is down temporarily?


Even if you do notice, can you act quickly enough to prevent the fraud?

Browntoa

Interesting article here

https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/

Part social engineering , part "friendly" store staff or call centre staff

molerat

Interesting point in the article, nothing random about those affected. Lots of information has already been accumulated, probably a bit like the old fashioned mugs lists.

SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through successful social engineering. Laying the groundwork for a SIM swap scheme involves collecting as much information about the victim as possible. Fraudsters might send phishing mail messages that impersonate legitimate businesses like credit card companies and health insurers intended to fool victims into forking over their legal names, dates of birth, addresses, and phone numbers. Unfortunately, many people can!!!8217;t tell the difference between real emails and phishing emails. Alternatively, they might scrape public websites, social media, and data dumps from criminals who specialize in collecting personal data.

AnotherJoe

EachPenny wrote: »

There is absolutely no excuse for any organisation to still use mother's maiden name as any kind of 'security' question. (aned if you are asked for this, don't use the real one)

This is one my my main bugbears, when asked any of these type of questions; maiden name, first school, first car, make up an answer don't use the real one. This is how celebs iCloud accounts were hacked a few years back, all that info available on line. And much of this sort of info is available online for "ordinary folk" these days via Facebook etc.

So, when setting up new accounts that insist on this type of question, use made up names, not the real ones. This may also mean you need a safe way to store that data such as a password app. Or you could be consistent and your first school, motHers maiden name, is always the same consistently across websites. Eg your mother's maiden name might always be be "moneysavingexpert" first school "trump High" and so on.

robatwork

Browntoa wrote: »

Interesting article here

https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/

Part social engineering , part "friendly" store staff or call centre staff

This article lost me at:

It never hurts to exercise due diligence. Blaich recommends checking with your cellphone company every couple of weeks to see if any SIM cards have been issued without your knowledge.

That's proposing millions of calls from millions of customers every 2 weeks to ask a question that will be met with confusion. Preposterous.

masonic

robatwork wrote: »

It never hurts to exercise due diligence. Blaich recommends checking with your cellphone company every couple of weeks to see if any SIM cards have been issued without your knowledge.

That's proposing millions of calls from millions of customers every 2 weeks to ask a question that will be met with confusion. Preposterous.

Yes, not to mention that some companies hand out SIM cards left right and centre, distributing them as widely as possible in the hope of attracting new customers.

where_are_we

As a victim of this current sim-swap/TSB fraud my advice is beware of losing your mobile network. I contacted them asap and they put a stop on the new sim but it was too late. I am mystified why they don`t text to inform a sim-swap has been applied, for but was told that this wasn`t necessary. "Don't open attachments in emails. In fact, have your emails in plain text only - it's obvious then if it is a phishing attempt.

Have robust passwords that are unique for each account

Use 2 factor authentication as much as you can"
I rigidly adhere to all of this but TSB don`t "do" 2 factor authentication.
I am changing all my security answers eg place of birth, first school, mothers maiden name to something ficticious because all of this stuff is available on the "wonderful" internet.