In a scary new mobile-banking fraud scheme, criminals are tricking mobile network operators banks into swapping out the SIM cards in customers' mobile phones and using illegally obtained data to drain a victim's funds from bank accounts.
Though the scam is relatively new and so far centers mostly on corporate accounts and individuals with high net worth, banks are getting nervous about its potential to wreak broader havoc, analysts suggest.
Now ValidSoft Ltd. believes it has developed a means to help banks spot such suspicious activity before the damage is done.
The complex scam requires multiple steps, including stealing victims’ mobile phone identity credentials and hacking into their bank accounts via elaborate phishing through data theft or social-media engineering (see story).
Once crooks have obtained a victim's mobile device ID numbers, they contact the wireless service provider to report having lost the device and request that the network send the accountholder's identity credentials to a new, replacement mobile phone number the criminals control, explains Patrick Carroll, CEO of Offaly, Ireland-based ValidSoft.
Next, the criminal uses the accountholder's illegally obtained login information to take over a victim's bank account, and prompts the bank to send a one-time pass code authorizing a funds transfer.
"The criminal has a brief window of time to clean out a victim's account, and in many cases they finish the job by calling the mobile network back to request restoration of the original phone number, to allay suspicion," Carroll says.
The majority of such attacks involve shifting SIM card credentials from one mobile handset number to another within the same network, Carroll says.
"It only takes about 10 minutes to complete the switch if the criminal asks for a new mobile phone credential from the stolen phone's same network," he says.
So far this type of heist is occurring in the United Kingdom and in Australia, where the use of such passcodes for funds transfers is more common, Carroll notes.
But as banks begin relying more heavily on one-time passcodes for mobile-banking authorizations, this type of fraud may spread to the U.S., Avivah Litan, a vice president and analyst at Gartner Group, tells PaymentsSource.
"Criminals have to go through a whole lot of steps and work in order to pull off one of these, but if they identify a customer with a big account with a lot of money–a whale–it's worth the trouble," she says.
Corporate customers with wire-transfer capabilities are most vulnerable, Litan notes.
Because criminals have hijacked an accountholder's passwords, banks typically have no way of knowing they are authorizing funds-transfers to criminals.
ValidSoft hopes to help block this type of crime with a feature embedded in its core bank-security offerings that enables banks to flag transactions tied to possible SIM card swaps, Carroll says. Banks may request a customized version of the service from ValidSoft; costs vary based on their scale, he notes.
"We apply a lot of logic and math to signal a bank that the transaction in question may be tied to a possible SIM card-swap," he says, noting ValidSoft's proprietary technology to spot the fraud also relies on the cloud-based Adeptra Risk Intervention Platform.
Banks warned of a possible scam may suspend such transactions temporarily until they verify their legitimacy, usually by directly contacting the cardholder, Carroll says.
Banks' methods for verifying transactions may vary once made aware a possible crime is in progress, he says.
One large bank with global customers is deploying ValidSoft's service with its high-net-worth customers, Carroll says, declining to name the bank.
"There is a great deal of caution among banks right now in broadcasting their awareness of emerging new fraud schemes and what type of bulwarks they have set up to protect themselves," he says.
SIM card-swap fraud is relatively small, but it could be devastating to specific banks and individuals, Litan suggests.
"Banks are looking for protections from this type of fraud, although at this point it is a fairly limited threat," she says.
ValidSoft earlier this year announced a separate offering to help banks block broader types of fraudulent mobile banking transactions (see story).
What do you think about this? Send us your feedback. Click Here.