Journalist investigation reveals mobile payments security flaws

NatWest and Royal Bank of Scotland are going to change their security procedures as a direct consequence of an online break-in by BBC journalists who were investigating SIM swap fraud.

The BBC Radio 4 programme You and Yours has been contacted by people complaining that they have been victims of this SIM-swap fraud and decided to investigate for itself.


What is SIM swap fraud?

SIM swap fraud is when the criminal manages to divert a user’s phone number to a SIM in their control. They do that by pretending to be the user – with personal information acquired through everything from social media to the black market – and convince the phone provider to transfer the phone number from a user’s SIM, and re-activate it on one in their control. This means that all calls and texts now go through the fraudster’s phone.

This is where we get to the banking: since all texts will now go through the fraudster’s phone, that will also include one-time secure (now ironically named so) codes that the bank texts for transactions. This is all happening without the legitimate user’s knowledge.


BBC investigation

The You and Yours investigation involved using one of the programme producer’s bank account as part of the experiment.

“I was able to break to her account without knowing her banking customer number, PIN or any passwords. I did not know her mother’s maiden name, her pet’s name or her first school, and yet I was still able to change her PIN and password to lock her out of her own account. That allowed me to transfer £1.50 to my own bank account, all because I had control of Natalie’s mobile phone.”

Chris Popple, managing director of NatWest Digital, said: “This is a cross-industry problem, particularly with us, and the telecom companies. We working with Financial Fraud Action UK to make sure we’re communicating with each other … to make sure mobile phone security is as strong as it possibly can be.”


Smishing – another issue?

This week, NatWest published a blogpost warning about the dangers of Smishing – a seemingly unrelated security issue.

“SMiShing is a form of phishing, when fraudsters send spoof text messages and emails to try and get your personal information. It’s not a new technique, but with the rise of smartphone use, it’s something we all need to look out for!”


Related reading

Leave a comment