Leave a legacy.

Sim Swap Scamming Prevention Check

By: othalian | 01-12-2018 14:40

Our phones are an integral part of us these days and on so many levels. And it is being used more-and-more in the two factor authentication process by various organisation which include banks and Amazon to name two. However, scammer too are realising this which is why "Sim Swap" scams are on the rise.

If you don't know what "Sim Swap" scams are it's when someone contacts a phone provider and requests a replacement sim card because it was lost, damaged, eaten by the dog, you name it. And oh by the way could you transfer all "my" stuff over to the new sim, please. You the owner might not notice it has happened for a few days and by then the scammer has accessed your bank account, etc.

My suggestion is for us all as a community to come up with a system of quick checks which can be carried out prior to a replacement sim being issued.

Idea 1. You are allocated a PassCode calculated on elements of your profile. No-one would know which elements are used to create this PassCode so it would be hard to recreate if not impossible.

Once issued with this PassCode you would be required to print it off and keep it safe. The page would have just enough information on it to remind YOU what the PassCode is for and not anyone else.

Idea 2. You nominate someone as a "Sim Friend", for want of a better name, within your profile. If a sim is requested then your "Sim Friend" would receive an sms which would ask them to contact you and confirm they did indeed request a replacement sim. Your "Sim Friend" would then press either a "Yes" or "No" link within the message to confirm or decline the request on your behalf. However, this option only works if Giffgaff retains secure servers of course.

Those are my suggestions but if someone can provide better, simpler solution then let's hear it. But we as a community can't just ignore it and hope it won't happen to us. Let's act now and protect us all from these sorts of scams. Also, it might be a great selling point for new members too.


by: poorben
on: 09-01-2019 09:16

The point of "two factor authentication" is that allowing access to a system is based on two independent transmission systems (internet and SMS) and/or two independent properties (such as something you know(password) and something you have (phone)). Neither factor on their own is secure (because of the need for "availability" and the existence of the "confidentiality-integrity-availability trade-off") but having both factors makes the whole slightly more secure than the sum of the parts (compromising both mechanisms for the same user at the same time is harder than compromising one mechanism).

SIM swap scams are simply demonstrating how the SMS mechanism can be attacked (though an attacked person would notice fairly quickly as their original SIM would be disabled and they would immediately lose phone and data service, would contact an agent, would be told their SIM had been swapped, would say "no it wasn't" and would raise a flag that something was up).

Mechanisms such as the ones described here attempt to reduce the "availability" of a SIM swap facility (by adding hurdles) thereby increasing the "integrity" of the facility (due to the trade-off mentioned above). Each mechanism adds its own issues (what if you lose the printout of a passcode, what if your sim friend is ill or on holiday) and adds its own vulnerabilities (if I compromise your friend then I compromise you).

The problem is the internet has a culture of everything being available instantly, and so most security mechanisms (such as password reset) have to emphasise availability rather then confidentiality or integrity. A badly designed security mechanism can make things worse (imagine a rule that says you must change your password every day).

Overall, I am not sure either of these mechanisms would help. A simpler idea woudl be that GG have diverse contact data and they use all of them (email, letter to your CC billing address, banner in your GG dashboard, social media PM, etc) to tell you that a SIM swap has been requested then there is less chance that a rogue SIM swap would go unnoticed long enough to be effective.

by: persco
on: 30-01-2019 07:39

I still think 2Factor Authorisation rather will solve this issue. It’s a feature that is already being used elsewhere and giffgaff can adopt.

by: blueleather
on: 31-01-2019 17:24

Two factor authorisation is a well tested method, quite reliable.

by: stevwarn
on: 31-03-2019 06:59

Concur 2FA and a more robust security features to stop SIM swap fraud is well overdue!

by: gvmhb
on: 06-01-2019 11:37

Not sure that I like either of these ideas. I'd like to know more about how the scammers manage to get your account information.

by: ikkyh56
on: 18-07-2020 22:34

Good idea

by: justeena1
on: 27-06-2020 00:41

Yes please

by: nafis40
on: 19-06-2020 20:28

I like dis idea

by: natasa80
on: 09-06-2020 09:32

this could work ok

by: mr09
on: 22-05-2020 21:59


by: hcs22
on: 16-05-2020 12:55

More robust processes in this area would be a good thing.

by: snus1
on: 10-05-2020 11:42

Brilliant idea