Leave a legacy.

Sim Swap Scamming Prevention Check

By: othalian | 01-12-2018 14:40

Our phones are an integral part of us these days and on so many levels. And it is being used more-and-more in the two factor authentication process by various organisation which include banks and Amazon to name two. However, scammer too are realising this which is why "Sim Swap" scams are on the rise.

If you don't know what "Sim Swap" scams are it's when someone contacts a phone provider and requests a replacement sim card because it was lost, damaged, eaten by the dog, you name it. And oh by the way could you transfer all "my" stuff over to the new sim, please. You the owner might not notice it has happened for a few days and by then the scammer has accessed your bank account, etc.

My suggestion is for us all as a community to come up with a system of quick checks which can be carried out prior to a replacement sim being issued.

Idea 1. You are allocated a PassCode calculated on elements of your profile. No-one would know which elements are used to create this PassCode so it would be hard to recreate if not impossible.

Once issued with this PassCode you would be required to print it off and keep it safe. The page would have just enough information on it to remind YOU what the PassCode is for and not anyone else.

Idea 2. You nominate someone as a "Sim Friend", for want of a better name, within your profile. If a sim is requested then your "Sim Friend" would receive an sms which would ask them to contact you and confirm they did indeed request a replacement sim. Your "Sim Friend" would then press either a "Yes" or "No" link within the message to confirm or decline the request on your behalf. However, this option only works if Giffgaff retains secure servers of course.

Those are my suggestions but if someone can provide better, simpler solution then let's hear it. But we as a community can't just ignore it and hope it won't happen to us. Let's act now and protect us all from these sorts of scams. Also, it might be a great selling point for new members too.

Comments

by: ray2
on: 10-01-2019 08:27

I have read that anyone doing a sim swap will now recieve a txt to let them know,so if a member did not request it,this can be stopped a lot quicker than finding out in a few days when your phone stops working.

This message is from giffgaff staff ben around this subject

To better protect against SIM swaps that our members are unaware of, we’ve built upon the confirmation email we already send to advise that the SIM swap is in progress - you’ll now receive a SIM swap confirmation text message to your phone where you have the possibility to immediately raise a case with the agents if you were not the one that requested the SIM swap.

Also the link to the whole thread

Security update

by: ungourin
on: 10-01-2019 00:24

very clevet

by: adamtheant
on: 09-01-2019 10:48

this would be brilliant

by: mijthebarber
on: 09-01-2019 10:09

very well thought out

by: poorben
on: 09-01-2019 09:16

The point of "two factor authentication" is that allowing access to a system is based on two independent transmission systems (internet and SMS) and/or two independent properties (such as something you know(password) and something you have (phone)). Neither factor on their own is secure (because of the need for "availability" and the existence of the "confidentiality-integrity-availability trade-off") but having both factors makes the whole slightly more secure than the sum of the parts (compromising both mechanisms for the same user at the same time is harder than compromising one mechanism).

SIM swap scams are simply demonstrating how the SMS mechanism can be attacked (though an attacked person would notice fairly quickly as their original SIM would be disabled and they would immediately lose phone and data service, would contact an agent, would be told their SIM had been swapped, would say "no it wasn't" and would raise a flag that something was up).

Mechanisms such as the ones described here attempt to reduce the "availability" of a SIM swap facility (by adding hurdles) thereby increasing the "integrity" of the facility (due to the trade-off mentioned above). Each mechanism adds its own issues (what if you lose the printout of a passcode, what if your sim friend is ill or on holiday) and adds its own vulnerabilities (if I compromise your friend then I compromise you).

The problem is the internet has a culture of everything being available instantly, and so most security mechanisms (such as password reset) have to emphasise availability rather then confidentiality or integrity. A badly designed security mechanism can make things worse (imagine a rule that says you must change your password every day).

Overall, I am not sure either of these mechanisms would help. A simpler idea woudl be that GG have diverse contact data and they use all of them (email, letter to your CC billing address, banner in your GG dashboard, social media PM, etc) to tell you that a SIM swap has been requested then there is less chance that a rogue SIM swap would go unnoticed long enough to be effective.

Edited
by: o7sagittarius
on: 08-01-2019 22:01

anything to stop scams from happening gets a thumbs up from me

by: adamtheant
on: 09-01-2019 10:47

I agree

by: leshin
on: 08-01-2019 21:03

Wicked idea

by: hunterchunk
on: 08-01-2019 15:41

Anything to increase security is a good thing , so yes I will vote for that

by: chinsndips
on: 08-01-2019 14:13

Great idea that can increase security!

by: adamtheant
on: 07-01-2019 23:09

agreed more security is needed and would be good