Cyber crime: SIM swapping, a new form of hacking

By Gerald Barr November 15, 2018

Who’s looking at you? Hackers can use your personal data to gain control of your SIM card and bank account.  Photo: Hivint, photopin

Hackers can access your bank account through SIM swapping before you can say two-tier authentication.


The ‘Hello Uncle’ phone-call is a regular feature here, usually to your mobile phone when a cheery youth declares “Hola tío, adivine quién le habla” Guess who’s calling? My reply is: “A fraudster trying to scam me out of my money, now sod off. Oh, and enjoy your jailtime.”

This last bit is for extra effect, since many phone fraudsters are already in jail and have unlimited free time and stolen phones to cold-call Colombians and convince them to transfer money into a fake bank account.

This scam relies on two aspects of life in Colombia: many people come from such large families they can’t keep track of all their relatives (my wife has 57 cousins that she knows of, and some she doesn’t). And people here are generally good-natured when it comes to helping family

So, the phisher’s script – that he/she is stuck in some remote place with some legal/vehicle/health crisis and urgently needs a nice uncle/aunt to stump up two million pesos – might well resonate in a sympathetic ear and elicit a small windfall.

But not from me. “I can handle these scams,” I think smugly. Until one day my wife accuses me of insulting her nephew on the phone. “Juan David called you to borrow some camping equipment. You told him to go to hell, then hung up. What’s going on?” Oops.

Fake jackpots

A few days later I find myself really reeled in with a convincing ‘you’ve won a car’ call, with real cheering in the background. Suave señor Héctor calms me down as I walk around the flat hyperventilating over the news that I am now the proud owner of a Chevrolet Aveo.

This chimes because I’m constantly filling in those supermarket ‘loyalty’ scheme forms which do involve someone, somewhere, eventually winning a car. And my cleaning lady’s mum had done just that. I’m on the hook.

After I have given señor Héctor all my personal data, he lists the freebies that come with the car: insurance, maintenance plan, full tank of fuel, etc. The car is ready to go and will be delivered to my door at…what was the address again? I remind him of my flat address.

Then for legal reasons he must ask me if I mind a publicity photo being taken when the car arrives? Well, of course not, I say. Make a movie for all I care. Then comes the catch.

“Also, for legal reasons, we must deliver the car to you on a trailer, it costs two million pesos, again for administrative reasons we must charge this to you separately. Are you happy to pay this small extra cost?” asks smooth Héctor.

“Well, of course, just tell me where to send the money…” I hear myself saying, before having a kind of out-of-body experience looking down at my silly self angrily hanging up. It’s just another scam.

Now my nagging thought is that in my lust for a free car I’ve given away too much information. As a self-confessed technophobe, IT worry-wort and all-round conspiracy theorist, I am constantly expecting to be drained of my lifelong savings by some geek in an attic somewhere in Eastern Europe. Or some incarcerated cyber-criminal. Or señor Héctor. Or all three.

But days, then weeks, then months go by and nothing happens.

Then I wake up to find three calls to my phone at midnight from three unknown numbers. Each call was two seconds long.

That’s weird

“That’s weird,” I think, “Wrong numbers.” Then at 9am the next day a man calls and asks for Alberto. “Sorry chum,” I say. Two minutes later my phone goes dead.

“That’s weird,” I think, maybe I forgot to pay the bill. I’ll check when I get home. Back home a few hours later, I check my e-mails and – crikey – there are ten messages from the bank issuing Claves Dinámicas – the second four-digit code to authorise transactions from my bank account. And none of them requested by me.

“That’s weird,” I think, as I call the phone company from my landline: my mobile account is paid up. So why is my phone blocked? “Because you replaced your SIM card at 9am, and it’s in another phone,” says the guy at the phone company. “I didn’t change my SIM card,” I say. “Yes, you did, it says so here in the system, at 9am.”

“That’s weird,” I tell the woman at the phone company office the next morning. ‘How can someone who’s not me get a new SIM card with my phone number? And then cut my phone off?”

She looks uncomfortable. “In theory it can only be requested by you and done by us, or one of our distributors.” Then it hits me that by ‘distributors’ she means hundreds of outlets all over Colombia including those dingy shops that carry the phone company logo and maybe gambling terminals, individual cigarettes (with a lighter hanging by a string), crates of Poker beer and megapacks of Cheetos.

I’ve nothing against such establishments, but I am concerned they have the power to cancel and reissue my phone line to a complete stranger. Especially when my bank now insists on sending a ‘dynamic’ code by text message to this same line every time I make an online transaction.

“So, this is a targeted fraud,” I say bluntly to the woman at the phone company. “The person who stole my phone number also accessed my bank account. Can I talk to your fraud team?”

“We don’t have a fraud team,” she says. “You’ll have to report it to the Fiscalía.”

This is bad news, since in all my previous run-ins with the public prosecutor’s office, I found nothing gets done in a hurry. In their defence, they are somewhat overworked and probably more interested in finding El Guacho than my SIM-card thief.

When I check my bank account, yes, fraudsters had accessed it. But by good luck, I had blocked the account before any funds were robbed. I visit my branch to advise them of the fraud and show them the evidence printed off from my computer. I’m met with a wall of indifference.

No warning

“Oh yes, we’ve heard of this,” says the advisor after an hour’s wait. “I warned my son about it,” she goes on. “What about your five million customers? Perhaps the bank should warn them,” I suggest. Meanwhile the bank is full of posters trying to get people to buy a monthly ‘cyber fraud’ insurance package to cover losses caused by the bank’s own negligence.

After some pushing, I am put on the phone to the bank’s fraud team. “Can you confirm your new address in Barranquilla?” asks the cyber crime expert. “I live in Bogotá, and have never even been to Barranquilla,” I tell him. But someone has entered a Barranquilla address on my online banking page. “Let’s note down the Barranquilla address as it might be linked to the fraudsters,” I suggest.  “Oops, I’ve just deleted it,” says the cyber crime expert.

Related: Going Local: A church for all seasons

“Never mind, can you please advise me how can I protect my SIM card from future swaps?”  I say. “Update your browser software and make sure your antivirus is up to date,” he replies, clearly less technically competent than even me.

Next job is to check the promising-looking Colombian police Centro Cibernético website, but this opens up a whole new avenue of frustration. There is a link to ‘Cybersecurity Banking Recommendations’ that says “sorry, we have not found any information.” Other links end in a “request terminated abnormally” message.

There is nothing on SIM swaps but quite a lot on phishing. Never give out personal data online, says the website, before asking me to input all my personal data, e-mail, address and phone number to register so that I can make my online denuncia. I decline.

My last job is to get back my old phone line, but before that I just want to call it to see what happens. To my surprise it rings. Then goes to answerphone. I leave a message: “Enjoy your jail time carajos. I’m off fishing.”

Outfoxing the SIM swap fraudsters

As more and more companies send text messages to your mobile as part of their two-step authentication process, SIM swapping is a growing global problem. Also known as ‘Port Out Fraud’ and in Colombia as suplantación de SIM, hackers take over your phone and use it to take over your social media, online shopping and bank accounts.

cyber crime

Official advice on what to do if you receive a phone call from someone who may be trying to get money or information from you. Photo: Cámara de Comercio del Oriente Antioquieño

Fraudsters will already have the victim’s banking and personal details, which are often harvested through phishing, data leaks from banks, or malware. Some have been swapped or purchased on the dark web. They will also have your cell-phone number, your bank details and first line PIN code.

The fraudsters then use your personal data to persuade phone company staff to issue a new SIM. Corrupt phone company staff might also be involved. With your SIM in their phone, your phone will be blocked and the criminals can receive your text messages, access your bank account, change your transfer limits, set up new linked accounts and drain your funds.

The scam often takes place when you are out of the country (that same holiday you bragged about on Facebook, right?) as you are less likely to notice your blocked phone.

How real is the threat? Very. In the US, the National Institute for Standards and Technology (NIST) has deemed ‘two-factor authentications’ to mobile phones as unsafe and not to be used in the public sector.

Meanwhile in Colombia banks continue to promote the sending of a clave dinámica to mobiles as a safe system. They have not alerted customers to the risks, and refuse to reimburse funds stolen via SIM swapping. Phone companies have also been slow to advertise the problem. To date, the police have registered close to 1,500 SIM swap frauds, but there are likely thousands more unreported.

Local media have reported cases – and millions stolen – but the scam is still widely unknown.

So what to do?

Be aware: If your phone line suddenly stops working for no reason and gives you the message ‘Emergency Calls Only’, someone else could be using it. You need to act fast: cancel your mobile line with the phone company and block your accounts with the bank.

Set up a SIM PIN code: Though they rarely promote the feature, phone companies can set up a personal PIN code for any customer care requests involving your line and your SIM. This won’t guarantee against swaps but will reduce the risk.

Get safer mechanisms: Talk to your bank about alternatives to your phone and SIM for receiving your dynamic access codes. This could be to an email set up with its own two-step verification. Some services, like Google, let you remotely delete your mail account if your phone itself is stolen.

Regularly change your bank PIN code: You keep meaning to do it, right?

Install security apps: For some online services, e-mail and social media codes, try using specialised apps like Google Authenticator which do not rely on phone data.

And if you are a victim of any type of hacking or fraud, make sure you report it to your phone company and bank, and to the police’s Centro Cibernético Policial at caivirtual.policia.gov.co. You can make an online report and request a follow-up interview.

Of course, the cyber-scammers will also try and keep one step ahead, and so should you. But don’t say you weren’t warned!

 


Gerald Barr first crossed into Colombia at the wheel of a Mercedes truck in 1994 and has worked in many corners of the country. He is amazed and enchanted, but also frequently frustrated by ‘Locombia’: its crazy politics and its cultural quirks. He can’t live without it and now calls Bogotá his home. 

share