Leave a legacy.

Sim Swap Scamming Prevention Check

By: othalian | 01-12-2018 14:40

Our phones are an integral part of us these days and on so many levels. And it is being used more-and-more in the two factor authentication process by various organisation which include banks and Amazon to name two. However, scammer too are realising this which is why "Sim Swap" scams are on the rise.

If you don't know what "Sim Swap" scams are it's when someone contacts a phone provider and requests a replacement sim card because it was lost, damaged, eaten by the dog, you name it. And oh by the way could you transfer all "my" stuff over to the new sim, please. You the owner might not notice it has happened for a few days and by then the scammer has accessed your bank account, etc.

My suggestion is for us all as a community to come up with a system of quick checks which can be carried out prior to a replacement sim being issued.

Idea 1. You are allocated a PassCode calculated on elements of your profile. No-one would know which elements are used to create this PassCode so it would be hard to recreate if not impossible.

Once issued with this PassCode you would be required to print it off and keep it safe. The page would have just enough information on it to remind YOU what the PassCode is for and not anyone else.

Idea 2. You nominate someone as a "Sim Friend", for want of a better name, within your profile. If a sim is requested then your "Sim Friend" would receive an sms which would ask them to contact you and confirm they did indeed request a replacement sim. Your "Sim Friend" would then press either a "Yes" or "No" link within the message to confirm or decline the request on your behalf. However, this option only works if Giffgaff retains secure servers of course.

Those are my suggestions but if someone can provide better, simpler solution then let's hear it. But we as a community can't just ignore it and hope it won't happen to us. Let's act now and protect us all from these sorts of scams. Also, it might be a great selling point for new members too.

Comments

by: poorben
on: 09-01-2019 09:16

The point of "two factor authentication" is that allowing access to a system is based on two independent transmission systems (internet and SMS) and/or two independent properties (such as something you know(password) and something you have (phone)). Neither factor on their own is secure (because of the need for "availability" and the existence of the "confidentiality-integrity-availability trade-off") but having both factors makes the whole slightly more secure than the sum of the parts (compromising both mechanisms for the same user at the same time is harder than compromising one mechanism).

SIM swap scams are simply demonstrating how the SMS mechanism can be attacked (though an attacked person would notice fairly quickly as their original SIM would be disabled and they would immediately lose phone and data service, would contact an agent, would be told their SIM had been swapped, would say "no it wasn't" and would raise a flag that something was up).

Mechanisms such as the ones described here attempt to reduce the "availability" of a SIM swap facility (by adding hurdles) thereby increasing the "integrity" of the facility (due to the trade-off mentioned above). Each mechanism adds its own issues (what if you lose the printout of a passcode, what if your sim friend is ill or on holiday) and adds its own vulnerabilities (if I compromise your friend then I compromise you).

The problem is the internet has a culture of everything being available instantly, and so most security mechanisms (such as password reset) have to emphasise availability rather then confidentiality or integrity. A badly designed security mechanism can make things worse (imagine a rule that says you must change your password every day).

Overall, I am not sure either of these mechanisms would help. A simpler idea woudl be that GG have diverse contact data and they use all of them (email, letter to your CC billing address, banner in your GG dashboard, social media PM, etc) to tell you that a SIM swap has been requested then there is less chance that a rogue SIM swap would go unnoticed long enough to be effective.

Edited
by: persco
on: 30-01-2019 07:39

I still think 2Factor Authorisation rather will solve this issue. It’s a feature that is already being used elsewhere and giffgaff can adopt.

by: blueleather
on: 31-01-2019 17:24

Two factor authorisation is a well tested method, quite reliable.

by: stevwarn
on: 31-03-2019 06:59

Concur 2FA and a more robust security features to stop SIM swap fraud is well overdue!

by: gvmhb
on: 06-01-2019 11:37

Not sure that I like either of these ideas. I'd like to know more about how the scammers manage to get your account information.

by: star8413
on: 23-06-2019 16:20

marvellous

by: peterg92
on: 22-05-2019 16:27

Sounds good

by: haseebhejazi
on: 24-04-2019 22:31

good lu

by: limes03
on: 28-03-2019 17:04

Sounds wise. Probably best to make it utterly personal and, from someone else's point of view, random. Inventing one's own security question and answer at a late stage in the setup works. Recommend that the user does not use biographical details or only very trivial ones which no one else knows, like; "why didn't you buy the orange juice on Georges birthday?", "Because I got a puncture." for example, better yet utterly fictional but memorable.

One could add a level by splitting user input between devices, enter your question/s via a computer and text the answer/s by phone for example. In that way if one device is already compromised the full combination is still unknown to a scammer. For a legitimate SIM request the user would simply answer those questions. As for verification purposes the user would only need one device the advice would be to reset the questions and answers using two devices quite soon,

At the server end including precise times elapsed between items of data entered during set-up adds a better than pseudorandom element to the math's which differs from user to user. With good data separation that should be reasonably secure.

Edited
by: helen_starkey
on: 17-03-2019 19:46

amazing idea think this would be great well done

by: emmalouisep93
on: 27-02-2019 14:00

Good luck.