The perils of SIM swap fraud have been highlighted again after an undercover film crew revealed O2 and Vodafone employees apparently handing over replacement cards without carrying out proper identity checks.
Secret filming showed two Vodafone staff failing to follow strict security policies to check the identity of the person requesting the replacement SIM card in-store, according to The BBC’s Watchdog Live.
Meanwhile, O2 staff failed to check photo ID, which is policy for all monthly contract SIMs. The firm told the program that it also sends an authorization code to any Pay As You Go customers alerting them if someone is trying to use their number, but this was not received during the filming.
SIM swap fraud is sometimes used by scammers to spend large sums on premium rate numbers they run, but increasingly it can also be used to intercept two-factor authentication codes sent by banks so that customers can ‘securely’ access their accounts.
It’s made more prevalent not only if telco store employees fail to carry out the proper checks, but also thanks to the large volume of identity data on the dark web which fraudsters can use to impersonate legitimate customers.
“From a financial institution standpoint, many have already started to make the switch to mobile PUSH notifications, which are inherently more secure than SMS. Mobile PUSH notifications have the added benefit of being able to be protected with application shielding technology and give banks a stronger interface for doing business with their customers,” explained Will LaSala, director of security solutions at OneSpan.
“Consumers should check to see if their bank already offers a mobile app and then enable PUSH two-factor authentication as soon as possible while disabling SMS two-factor authentication. SMS is a good method for notifying users of account notifications, such as account modifications and transactions, but it should not be used to allow privileged access.”
SIM swap fraud could also come as a result of malicious insiders working with criminal gangs.
In August, a US entrepreneur and cryptocurrency investor filed a $223m lawsuit against AT&T after a store employee allegedly facilitated SIM swap fraud, allowing criminals to transfer millions from his bank account.