To make online purchases and receiveSMS notifications about all operations that occur on bank cards, any client can connect a mobile bank. To do this, you need to link the phone number to the bank account. This procedure makes our life much easier, but it opens up great opportunities for fraud.
On the black market on the web you can find and buya variety of information about users - starting with property data and ending with passport data and phone numbers. A fraudster can apply with this information and a fictitious power of attorney to a remote communications salon, for example, in another region, and re-issue the victim’s SIM card. The pretext for appeal can be anything from a fictional loss of the phone to the same mythical damage to the SIM card. After re-issuing the SIM card, one-time passwords for the mobile bank will stop coming to the victim, and will start coming to her. When the bank sees that the unique SIM card identifier (IMSI) has changed, it blocks operations until the SIM card re-issue is confirmed. To remove the lock, attackers need to get a code word that only the cardholder knows. To do this, they can resort to telephone fraud - vishing: attackers, using telephone communication and playing a certain role (for example, a bank employee), under various pretexts, entice confidential information from a bank card holder or stimulate certain actions with their account or card). If this step is successfully passed, attackers get the opportunity to dispose of the victim’s money.
“SIM card remains one of the most vulnerable placesin the protection of personal data - cloning a SIM card gives attackers wide access to almost all services, instant messengers, mobile banking, etc. Cybercriminals can hunt not only for star accounts on social networks for further blackmail and extortion, recently they also often use a copy SIM cards to access online banks and steal money. We recommend working ahead of schedule: write a prohibition on re-issuing a SIM card without a power of attorney at the post office - you can order delivery only in one pre-installed office of the mobile operator and only personally in your hands. Never tell anyone CVV, a code word or code from SMS, either by phone or chat with a “bank employee”. Pay attention to SMS: they may contain information that the SIM card was reissued, or about attempts to gain access to the online bank - in this case, you need to immediately contact the mobile operator and the bank, ”said Ilya Rozhnov, Group Development Manager -IB Brand Protection in Singapore.
“Unfortunately, from fraudulent reissuanceSIM cards by conspiracy with employees of mobile phone salons the user can not defend themselves. But we will try to give a couple of recommendations on how to protect ourselves in the event of this risk. After all, why are they “stealing” SIM cards? In the vast majority of cases, this is done to gain access to the second authentication factor in payment applications. In this regard, we would advise users of the following. Firstly, in most banks, you can choose as the second authentication factor not SMS, but push notifications, which are transmitted via an encrypted communication channel. Thus, the user is insured that in the event of a “hijacking" of a SIM card, someone will receive a second authentication factor. Secondly, for banking operations, you can get a separate SIM card, which can only be used for these purposes. It’s advisable to apply it to someone from relatives or acquaintances so that it is impossible to associate a phone number with a client whose attackers want to crack a bank account by re-issuing a SIM card, ”said Daniil Chernov, head of Rostelcom Solar, Solar appScreener.
Roskachestvo, together with cybersecurity experts, has prepared several important rules that must be followed in order not to become a victim of fraud.
1. Write a statement in a mobile phone salon prohibiting the reissue of a SIM card without your personal participation. Agree with your mobile operator to limit the issuance of copies of your
SIM card or the only strictly defined department where you can order the issuance of a SIM card in person.
2. Get a separate SIM card for working with a mobile bank and do not tell anyone and do not publish this number anywhere.
3.Do not tell anyone the CVV code, code word or code from SMS, either by phone or chat with a “bank employee”. Call back personally to the bank by the number indicated on the website or on the back of the card, and only then give the code word.
four.Closely follow SMS about blocking SIM cards or re-release. This is really important, because the client usually has a day to contact the salon and the bank so that the fraudster does not have time to do anything.
5. Ignore SMS with a request to call back to the bank at the specified number.
6. Do not trust the interlocutor who introduced himself as a bank employee, even if he calls from a bank number - the number change services have gone far ahead. Call the bank yourself.
7. Do not upload photos and scans of your documents on social networks.
8. Create complex and different passwords on all resources used.
9. Carefully filter what you write in private messages. Remember that all the details of the correspondence may fall to attackers
The press service of Megafon stated the following: “After replacing the SIM card, we block incoming SMS messages for a day. Even if a fraudster can re-issue a SIM card, within 24 hours he will still not be able to receive a one-time password confirming a banking operation on it. For the subscriber, this time is enough to understand that he has communication problems, contact the operator and cancel the fraudulent replacement of the SIM card. We offer banks a special product “Status”, which allows any bank to receive real-time information about replacing a SIM card and thus stop fraudulent payments and protect their customers from fraud. ”
The press service of Sberbank emphasized that the mostreliable protection for customers is awareness, vigilance and caution. If you suspect fraud, it is recommended that you immediately transfer the information to the bank. On the website page, they posted cybersecurity rules.
Meanwhile, on Wednesday, the network media site BanksToday ”was hijacked precisely through the re-release of the SIM card. Having a phone number in their hands, scammers regained access to the email of the domain owner. The fraudster immediately changed the password from the mail and changed the attached mobile phone number. After that, the site was easily “hijacked”.
“This type of fraud is far from new, it is lesscommon, unlike phishing or phone fraud, and requires more preparation from scammers. Often, they combine re-issuance of SIM cards with phishing or fraud over the phone to obtain missing information from the victim.
Source: press release Rosskachestvo