Mobileum Blog

Can One Time Password and SIM Swap be partners in fraud? | Mobileum

Written by Carlos Marques | 05/06/2018

SIM-swap fraud is relatively simple. The fraudsters manage to get a new SIM card issued for a specific registered mobile number. As this new SIM card is activated in the mobile operator's network, the legitimate users' SIM card becomes deactivated.

Last week American journalist and investigative reporter Brian Krebs’ wrote on his website, Krebs on Security about another account takeover case, this time by a T-Mobile employee who made an unauthorised ‘SIM Swap’ to steal an Instagram account. At this stage T-Mobile is investigating a retail store employee who allegedly made unauthorised changes to a subscriber’s account in an elaborate scheme to steal the customer’s three-letter Instagram username. The modifications, which could have let the rogue employee empty bank accounts associated with the targeted T-Mobile subscriber, were made even though the victim customer already had taken the steps recommended by the mobile carrier to help minimise the risks of account takeover. Here’s what happened, and some tips on how you can protect yourself from a similar fate. 

But what is SIM-swap fraud and how does it links to account takeover?

SIM-swap fraud is relatively simple. The fraudsters manage to get a new SIM card issued for a specific registered mobile number. As this new SIM card is activated in the mobile operator's network, the legitimate users' SIM card becomes deactivated. The fraudsters receive a One-time password (OTP), authenticate themselves to carry out transactions with the legitimate users' bank account, initiating money transfers, withdrawals, and purchases. In the T-Mobile case, it was authentication in an Instagram account.

On another article we've became aware of a
case of a retired couple in South Africa who
were  victims of fraud amounting to over
R800,000, and nearly lost their home to their
bank account in the process. Over R500,000
in savings and R300,000 in new credit was
transferred to Capitec accounts from the
couple’s bank – highlighting how quickly you
can lose money as a result of fraud.


How SIM-swap fraud is perpetrated?


 

How WeDo Technologies can help protect against SIM-swap fraudulent scenarios?

RAID.Cloud is WeDo Technologies’ Fraud Management solution (SaaS), combining the proven capabilities of our existing on-premises platform with the benefits of a cloud deployment. Developed with the aim to help Communication Service Providers (CSPs) maintain quality of service and quality of experience due to SIM-swap attacks, it simultaneously allows revenue leakage reduction. 

For more information or should you have any question, please feel free to Contact Us.