NatWest and Royal Bank of Scotland are going to change their security procedures as a direct consequence of an online break-in by BBC journalists who were investigating SIM swap fraud.
The BBC Radio 4 programme You and Yours has been contacted by people complaining that they have been victims of this SIM-swap fraud and decided to investigate for itself.
What is SIM swap fraud?
SIM swap fraud is when the criminal manages to divert a user’s phone number to a SIM in their control. They do that by pretending to be the user – with personal information acquired through everything from social media to the black market – and convince the phone provider to transfer the phone number from a user’s SIM, and re-activate it on one in their control. This means that all calls and texts now go through the fraudster’s phone.
This is where we get to the banking: since all texts will now go through the fraudster’s phone, that will also include one-time secure (now ironically named so) codes that the bank texts for transactions. This is all happening without the legitimate user’s knowledge.
The You and Yours investigation involved using one of the programme producer’s bank account as part of the experiment.
“I was able to break to her account without knowing her banking customer number, PIN or any passwords. I did not know her mother’s maiden name, her pet’s name or her first school, and yet I was still able to change her PIN and password to lock her out of her own account. That allowed me to transfer £1.50 to my own bank account, all because I had control of Natalie’s mobile phone.”
Chris Popple, managing director of NatWest Digital, said: “This is a cross-industry problem, particularly with us, and the telecom companies. We working with Financial Fraud Action UK to make sure we’re communicating with each other … to make sure mobile phone security is as strong as it possibly can be.”
Smishing – another issue?
This week, NatWest published a blogpost warning about the dangers of Smishing – a seemingly unrelated security issue.
“SMiShing is a form of phishing, when fraudsters send spoof text messages and emails to try and get your personal information. It’s not a new technique, but with the rise of smartphone use, it’s something we all need to look out for!”
We've had reports of phishing texts (smishing). Be on the lookout for anything suspicious popping up on your mobile https://t.co/CNnduWAVZC
— NatWest Help (@NatWest_Help) March 2, 2016
@NatWest_Help I just got one too… Shouldn't you be stopping this?! It comes from the same origin as genuine messages you've sent me
— Emily Brinley (@emilybrinley) March 3, 2016
As the countdown to Christmas begins, Jim Wadsworth, managing director at Accura, pinpoints five ways businesses can prevent fraud and avoid targeted risks.
Payment terminals have stayed the same over the last 10 years, with steady advances in contactless and mobile wallet transactions. Retailers and brands are making a conscious effort to get closer to consumers.
Insurers went online a long time ago, but one of the major challenges has been creating an online experience that can handle the relatively complex insurance “form-filling” process. Jonathan Attwood, CEO of Fospha, explains how his company's toolset can help insurers more accurately track their customers' behaviour.
In this guest post, Lee Britton, commercial director of Prepaid Financial Services, contrasts the fortunes of fintech startups that choose to scale with the backing of major banks with those that opt to go it alone.