NatWest and Royal Bank of Scotland are going to change their security procedures as a direct consequence of an online break-in by BBC journalists who were investigating SIM swap fraud.
The BBC Radio 4 programme You and Yours has been contacted by people complaining that they have been victims of this SIM-swap fraud and decided to investigate for itself.
What is SIM swap fraud?
SIM swap fraud is when the criminal manages to divert a user’s phone number to a SIM in their control. They do that by pretending to be the user – with personal information acquired through everything from social media to the black market – and convince the phone provider to transfer the phone number from a user’s SIM, and re-activate it on one in their control. This means that all calls and texts now go through the fraudster’s phone.
This is where we get to the banking: since all texts will now go through the fraudster’s phone, that will also include one-time secure (now ironically named so) codes that the bank texts for transactions. This is all happening without the legitimate user’s knowledge.
BBC investigation
The You and Yours investigation involved using one of the programme producer’s bank account as part of the experiment.
“I was able to break to her account without knowing her banking customer number, PIN or any passwords. I did not know her mother’s maiden name, her pet’s name or her first school, and yet I was still able to change her PIN and password to lock her out of her own account. That allowed me to transfer £1.50 to my own bank account, all because I had control of Natalie’s mobile phone.”
Chris Popple, managing director of NatWest Digital, said: “This is a cross-industry problem, particularly with us, and the telecom companies. We working with Financial Fraud Action UK to make sure we’re communicating with each other … to make sure mobile phone security is as strong as it possibly can be.”
Smishing – another issue?
This week, NatWest published a blogpost warning about the dangers of Smishing – a seemingly unrelated security issue.
“SMiShing is a form of phishing, when fraudsters send spoof text messages and emails to try and get your personal information. It’s not a new technique, but with the rise of smartphone use, it’s something we all need to look out for!”
We've had reports of phishing texts (smishing). Be on the lookout for anything suspicious popping up on your mobile https://t.co/CNnduWAVZC
— NatWest Help (@NatWest_Help) March 2, 2016
@NatWest_Help I just got one too… Shouldn't you be stopping this?! It comes from the same origin as genuine messages you've sent me
— Emily Brinley (@emilybrinley) March 3, 2016
Whitepapers
Related reading
Open Banking: Going from regulatory mandate to global scale
Building the infrastructure to make open banking possible Open banking means different things to different people, but one thing is sure: it ... read more
Pandemic boosts P2P platform use
By Shari Krikorian, senior vice president, Mastercard
Tech innovation vital for mitigating airline crisis
The airline and travel sector’s coronavirus crisis may spark tech innovation in the industry, market participants predict. Customers will look to travel ... read more
Bank of England slashes interest rates amid coronavirus outbreak
By Aaran Fronda The Bank of England (BoE) has announced an emergency cut to the base interest rate from 0.75 percent to ... read more
