CONTINUE TO SITE »
or wait 15 seconds

Article

SIM swapping: The new ATM con game?

For every ATM innovation, there's a criminal network looking to exploit it for ill-gotten gains.

August 28, 2013 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications

In the late 19th century, there was the "Spanish Prisoner" scam, in which the "mark" was told that by paying a bribe, he could free a Spanish noble from prison — whereupon said noble would be so grateful as to shower the mark with buckets of pesetas. 

With the Internet age, the Spanish Prisoner has become a Nigerian Prince. And amazingly, people continued to fall for this shopworn gambit.

No less amazing, customers still give out sensitive information by phone and email to phishing scammers, despite repeated warnings from their FIs that they should never, never, ever divulge passwords and account numbers by phone or email.

One of the latest cons is SIM swapping, which is the second phase of a phishing scam. Though not as profitable as large-scale hacking and skimming, it has an appeal to criminal gangs looking for a low-cost, low-risk, high-reward, EMV-circumventing racket.

With just some basic personal information acquired by phishing, a criminal can commandeer the mobile account of an unknowing victim, intercepting or initiating calls, texts and authorizations such as those used for mobile prestaging and cash transfers via ATM.

ATM Marketplace recently put questions about the hazard of SIM swapping to Pat Carroll, the founder and CEO of ValidSoft, a company that specializes in the prevention of electronic fraud. 

ValidSoft has developed a proprietary system to detect fraudulent SIM swaps (there are legit swaps, too, which might occur if the SIM card in your smartphone fails, for instance). An implementation of the solution by Santander UK was named Best Security Initiative in the 2012 Banking Technology Awards.

Q: What exactly is SIM swapping?

A:SIM swap fraud is a type of spear phishing (i.e., targeted) attack. SIM swap fraud is committed when a fraudster, using social engineering techniques, dupes the victim's mobile phone operator into porting the victim's mobile number to a SIM in the possession of the fraudster and so starts receiving any incoming calls and text messages, including banking one-time-passcodes that are sent to the victim's phone.

The fraudster can then perform transactions ... using credentials gathered by other techniques such as phishing or key loggers, and when the bank sends a one-time-passcode via SMS, the fraudster receives it and completes the authorisation of the transaction.

Q: Are we talking about small-time crooks here, or organized criminal gangs?

A: SIM Swap attacks are effectively an extension of phishing attacks, key loggers, etcetera, which are generally based on organised groups.

When banks introduced measures such as one-time-passcodes delivered via SMS, they did so to combat phishing attacks and Trojans such as key loggers. The fraudsters therefore require these OTPs to be successful and SIM swapping is how they do it.

Whilst the attacks are highly targeted, the targeting is simply based on a set of users who have been phished or key logged and whose banking credentials are already in the hands of the fraudsters.

Q: How widely has it been attempted?

A:Intriguingly, there are significant regional variations — SIM swapping isn't publicized in the U.S. (but is still a likely threat for GSM based networks), but relatively common in Australia, Brazil, Malaysia, Mexico, Portugal, South Africa and increasingly so in the U.K.

Q: In the case of a SIM swap, where does the responsibility for the incident lie — with the cardholder, the telco, or the bank?

A:The financial responsibility in terms of loss lies with the bank. Fraudsters have targeted the discrepancy between how banks use telecommunications to try to communicate securely with their customers and how mobile network operators secure their data.

Fraudsters are adept at identifying the weakest link in the security chain and fully exploiting any anomalies. If the fraudster can compromise the account ownership process of the operator, then they can compromise the secure communications process of the bank by "taking over" the genuine customer's phone.

This is exactly what happens with SIM swap fraud and is a relatively easy fraud vector for the determined fraudster since they can capitalize on the operator's desire to provide good and quick customer service (and to preserve revenue streams).

The issue has caused significant consternation amongst the banks and has forced the operators to respond to criticism. In Australia for instance, the mobile network operators have specifically stated that banks should not use SMS within security solutions as it is not considered a secure medium.    

Q: How big a threat does SIM swapping pose — in terms of actual financial loss and loss of consumer confidence?

A:SIM Swap fraud is hitting the banks' bottom line and could erode customers' trust in the mobile, not only as a mechanism for receiving relatively simple security codes, but as a banking and payment device overall.

With the industry investing so much capital into the mobile banking and payments platform, trust in that platform and the integrity of the networks is essential.

While the financial cost is significant in terms of the actual fraud (the fraudster gets one attempt and will aim to "clear the a/c out"), the loss of consumer faith in the mobile device as a banking tool could be far greater.

Pat Carroll ValidSoft CEOPatrick Carroll is founder and CEO of ValidSoft, where he leads the R&D function and is responsible for intellectual property and new patents. Prior to founding ValidSoft, Carroll was employed as head of electronic trading technology in Europe for Goldman Sachs International. He has also worked in a senior capacity with J.P Morgan, Credit Suisse Financial Products and Bankers Trust Company.

Need to know more about Mobile/ATM security issues? Get an in-depth view at the first annual ATM & Mobile Executive Summit on Sept. 25–26 in Washington D.C.

Further information about the summit is available at the summit website. Those interested in attending the summit can save $700 by using the code CLUCKEY at registration.

Read more about security.

photo: mike licht

About Suzanne Cluckey

Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims
NCR Atleos earns #5 rank in fintech rankings
SEC to revamp cryptocurrency policies amid Trump's pro crypto push


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'