We live in a digital world where more members than ever before are banking online or on their mobile phones. However, online and mobile banking is never 100 per cent safe. There are many fraudsters out there who’ve made it their business to fool you into sharing your financial information by using sophisticated tools that look real to most users.
In all cases, signing up for online banking alerts is a good idea. Alerts are an online banking feature that automatically sends you an email and/or a text message to your mobile phone to alert you of certain changes to your account made through online banking
This morning I had a client who narrated to me his ordeal.
Sims(not his real name) was sitting in his home a fortnight ago when his iPhone, suddenly stopped working. Within 75 minutes the fraudsters who had hijacked his phone had, through his online banking, emptied his bank account of KSH.500,000 .
When Sims rang the Mobile Operator, it soon emerged that someone posing as him had managed to persuade the mobile network to activate a new sim card – in effect giving the fraudsters control of his mobile number. The crooks were then able to reset all his mobile banking passwords, using his phone as identity, and the passwords being sent to the phone.
It appears that fraudsters have identified a significant vulnerability in the way banks are using their customers’ mobiles to identify them – and exploiting it to the max.
“One minute I’m wondering why my phone won’t work, and less than two hours later my bank account has been emptied and I have lost Ksh.500,000/= says a still shocked Sims.
“They appear to have used the phone to tell my mobile service provider that I had forgotten all my online bank settings. When my settings were reset, the bank sent notification to my phone – which of course, went to the fraudsters.
Before a SIM can be cancelled and reissued, the mobile phone network will ask a number of security questions, which only the phone owner should know the answer to. This suggests that fraudsters have already gathered a considerable amount of information on their victim. The mobile phone companies say these details may have been hoovered up from social media accounts such as Facebook, or possibly bought on the “dark web”. But they also admit that they and the banks need to do more to fight this new menace.
But Sims is just the latest victim of a financial scam that is sweeping Kenya: SIM-swap fraud.
WHAT IS SIM SWAP FRAUD ?
SIM Swap fraud is a type of Spear Phishing (targeted) attack. It is more complex than Phishing (duping) and is particularly insidious. The bad news is that a fraudster has decided to target an individual and has sufficient knowledge of the individual’s personal details to be able to carry out these attacks. Also, because the attack is typically cross channel, individuals will not intuitively deduce that they are under attack – how many people would immediately suspect that their bank account was under attack if they suddenly stopped receiving calls on their mobile, for example?
The good news is that there is a technological solution to the problem. It is already possible to tell if a mobile number has been ported, then prevent transactions being authorised using that particular phone unless other indicators suggest the swap was in fact legitimate.
If the banks move quickly they can cut off yet another of the fraudster’s routes into our money and at the same time improve their own customer service. SIMple!