With the increase in use of mobile phones, and the now wide spread ownership of smart devices , the banking industry globally has taken advantage of this move to encourage its customers to do more of their transactions using mobile banking. “Mobile banking allows customers to conduct financial transaction remotely using a mobile device.”
The proliferation and convenience of use of mobile banking is not without its drawbacks. Customers have woken to see their money stolen from their bank accounts without remedy. . There is an on going “arms race” between the hacker and Security practitioners like me to improve the security of the platform and processes by ensuring that people deploy simple but effective measures to reduce the prevalence of this type of fraud. Hackers and fraudsters have moved to Sim swap fraud to defeat all security measures deployed by the banks. SIM swap fraud ”is a type of account takeover fraud that generally targets a weakness in the two factor authentication (2FA) and verification in which the second factor or step is a text message (SMS) or a call placed to a mobile telephone”.
IN the UK 9.1 million pounds was lost to this type of fraud alone in 2019. There has also been a considerable upswing in this fraud in Africa and specifically Nigeria where the capability of hackers have been increasing in leaps and bounds. Thankfully, compulsory Sim card registration and the inability of fraudster to completely obfuscate traceability has made apprehension and recently conviction rates to increase in Nigeria. But we need to do more to reduce the vulnerability that exist with the bank , Telcos and the customer. Each stakeholder must do their part and act in step to reduce this menace
Protect your Phone and SIM card with a passcode and pin respectively
Critically following the attackers steps in a Sim swap fraud, I will be making a few suggestion based on best practice as to how to minimise the threat to the Customer and the Bank . The Telcos being an intemediary.
Kill Chain for Sim swap fraud and mitigation steps
The attacker or hacker gains access to the a customer’s credentials and mobile phone number
Mitigation- The customer should always protect their phone and SIM card with a passcode and pin respectively This is quite easy to set up.
Then, using the compromised credentials , the fraudster approaches the Telco company effect a SIM swap . A successful Sim swap will provide the fraudster with the capability to intercept an SMS or telephone call based authentication
Mitigation- The Telcos should ask users to setup a secret password for their accounts which must be used to effect a Sim Swap. The secret password should be at least 8 characters long. This should be masked to the customer service agent. The customer service agent authenticates the customer by challenging them for 3 letters in the password. The password letters sequence requested by the Customer service agent will always change with each call made by the customer. The attacker is unlikely to know this secret password unless it is written down by the customer. Therefore customers should only choose memorable passwords
The attacker exploits their foothold by accessing the customer’s bank account. Since the control of the phone has been lost to the attacker following the SIM Swap . The 2 factor authentication using “what you have” your mobile phone is intercepted. The SMS OTP is intercepted
Mitigation - Banks should continue to deploy AI by way of fraud watch so as to flag unusual customer transactions. Customer should setup email and SMS alerts so that if the SMS is intercepted by a successful SIM Swap they could still receive a mail
The fraudster actions its overall mission by transferring money to other bank accounts effectively stealing the customers deposit
Mitigation- Banking KYC should be stringently followed and bad accounts flagged and quckly closed.
With all actors playing their part , SIM swap fraud can be reduced to a minimum