These SIM Swap scams....how worried should we be??

Ant2112

So I work in Information Security and I think this is something to be worried about.



We use our phones as a authentication factor, from a 2FA point of view its usually the "Something you have". if someone can get a new SIM then they have a clone of your phone. Yes they need to know all sorts of other info about you in order to access your cash, but as someone else said, pretty much everyone has had their data lost by some organisation or other over the last few years. Go check out a website called "Have I Been Powned" (Google it). This is run by a trusted security blogger and allows you to see if your email address has appeared in any of the thousands of data dumps of billions of records that have appeared on the internet and dark web over the last five or six years.

I agree that having a cloned phone in isolation is of no real use. However, an attacker will attempt to gather information about their target from many sources. The YouTube video called "Amazing mind reader reveals his 'gift" that you should see if you search YouTube for "Mystic Dave" demonstrates this nicely. (Sorry, I cdan't post links in comments as a new forum user).

A key concept of information security is "Defense in Depth" which means protect at every stage to ensure one failing doesn't expose an entire system. A corollary to this concept would be the "gather everything" approach that attackers take when targeting someone.



Remember that successful attacks use social engineering, not just against you, but against the support center staff, the phone shop staff (for obtaining the SIM) and anyone else they need to con. Social Engineers (Con artists) are very convincing, they will spin a convincing tale and use advanced psychological techniques to manipulate people.


Anyhow, sorry for the ramble, in short, yes you should be aware of this and make appropriate considerations depending on your overall position. I've recently requested separate physical 2FA devices from the financial institutions I use that support them specifically for this purpose.

DCFC79

Tara_M wrote: »

Don't do online banking.... simples.

Yet I do online banking and Ive not been sim swapped or anything fraudulant has happened.

Sea_Shell

DCFC79 wrote: »

Yet I do online banking and Ive not been sim swapped or anything fraudulant has happened.

Ah but the big question is.....Is this by luck, or judgement!!??

robatwork

Ant2112 wrote: »

Go check out a website called "Have I Been Powned" (Google it).

I agree that having a cloned phone in isolation is of no real use. However, an attacker will attempt to gather information about their target from many sources. The YouTube video called "Amazing mind reader reveals his 'gift" that you should see if you search YouTube for "Mystic Dave" demonstrates this nicely. (Sorry, I cdan't post links in comments as a new forum user).

It's have I been pwned and is a good and genuine resource

https://haveibeenpwned.com/

The Mystic Dave on the other hand is in fact just an advert for a bank and has no business being in your diatribe, unless I am looking at the wrong video. It doesn't demonstrate anything other than the pretty obvious - people can see your facebook page.

[Deleted User]

Sea_Shell wrote: »

Ah but the big question is.....Is this by luck, or judgement!!??

It's by not responding to malicious phishing emails and text messages from scammers.

molerat

!!! wrote: »

It's by not responding to malicious phishing emails and text messages from scammers.

Or by posting your details all over social media.

masonic

!!! wrote: »

It's by not responding to malicious phishing emails and text messages from scammers.

...or by not buying goods and services from any companies who have suffered a data breach.

Sea_Shell

Well the good news is that my main "official" e-mail has not been pwned!!!8230;.so that's a start!!

I have another which is showing 1 breach...but I don't have any financial connections to that one. And I do tend to give slightly false personal data to sites that use that one. Wrong DOB's and that sort of thing.