By Advocate Prashant Mali, a noted cyber law expert
Today, a Mumbai newspaper reported that a businessman lost Rs 1.86 crore due to SIM SWAP fraud. Using this technique, the hackers obtained a new SIM in his name and succeeded in transferring money to 14 accounts across the country.
This has been a popular technique among hackers and cases related to SIM SWAP frauds alone has made citizens lose more than Rs 200 crores.
I have clients who have lost money ranging from Rs 1.25 crore to Rs 30,000 using SIM Exchange or SIM Swap. For your knowledge, none of these clients were computer illiterate. As the name suggests, someone may buy a new SIM from the same network provider and start to operate all your banking transactions. The bank will not differentiate between you and the fraudster, as the account is operating from the same number. Even mobile operators are also unable to track such frauds and sometimes abet the crime by faulty KYC checking.
Let us look at how the hackers commit fraud by looking into each step:
1) Fraudsters gather your information: The first step they do is to gather your personal information. Usually, they try to access your personal information by phishing, Vishing, Smishing or by using Trojans or malware. They also try to gather your banking details using the same method.
2) Fraudsters request or visit mobile operator to block your SIM: They approach mobile operator with genuine customer fake ID proof and request operator to block the SIM. They provide the reason as loss of handset or SIM damage.
3) Issuance of new SIM to fraudster: After due verification, a mobile operator issues a new SIM with the same number to a fraudster. This is because even for a mobile operator it is hard to find a genuine customer. They issue the duplicate SIM to a fraudster. Once this new duplicate SIM is issued, then the genuine customer mobile phone will be without a network. Therefore, a genuine customer does not receive the SMS alerts on the phone.
4) Fraudster accesses your bank account with new SIM: Fraudster then initiates financial transactions (from the banking details which he has already stolen) by generating a one-time password (OTP). This new password will be sent to the fraudster’s new SIM but not to a genuine customer. Hence, a genuine customer is kept in the dark.
How do the fraudsters get the bank details?
SIM swapping/exchange is usually phase two of a fraud attack. Initially, they send a phishing email (or other similar phishing attempts) to get all your banking details. These details can also be stolen using Trojans/Malware. They also work towards getting the victim’s personal information and may even go as far as stealing identity and creating fraudulent ID documents.
In order to use all of this gathered information, they need access to the victim’s mobile messages – hence the SIM swap. In some countries, notably India and Nigeria, the fraudster will have to convince the victim to approve the SIM swap by pressing some keys.
Once this happens the victim’s phone will lose connection to the network and the fraudster will receive all the SMS and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls sent to the victim and circumvent any security features of accounts (be they bank accounts, social media accounts etc.) that rely on SMS or telephone calls.
How to protect yourself from such frauds?
If your phone is out of network continuously for a few hours specifically on weekends, then you have to take it seriously and be alert and complain the same to a mobile operator.
Never switch off your mobile for long periods to avoid unwanted calls. Instead, try not to pick them. Otherwise, activate DND (Do Not Disturb) facility for your SIM.
Regularly check your bank account statement.
Register for both email as well as SMS alerts.
Do not share your 20 digits SIM number mentioned on the back of your SIM with anyone
Do not display your mobile number on social media websites.
In these times, any online authentication or new guidelines while issuing duplicate SIM card has become need of the hour to stop SIM Card SWAP frauds.
I think one need to immediately change NetBanking passwords, if phone is out of network continuously for a few hours . This may save a day.