UK Mobile Phones (uk.telecom.mobile) Mobile telephone equipment and networks.

Reply
 
LinkBack Thread Tools Display Modes
  #11   Report Post  
Old November 2nd 18, 04:17 PM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Nov 2015
Posts: 97
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On Thu, 1 Nov 2018 03:04:12 -0700 (PDT), just as I was about to take a
herb, "R. Mark Clayton" disturbed my reverie
and wrote:

The issue is providers dishing out new SIM's on existing numbers, which are then 'hi-jacked' by the fraudster.

A lot of SIM's have needed swapping recently because either a new phone has a smaller slot or to gain access to 4G.

I would have thought however that the real subscriber would notice when service ceased on the old SIM and their phone stopped working.

I suspect the real issue here is that it is very easy to obtain a working [P&G] SIM on any network without any ID checks. Crim's can then put them in second hand phones bought in market stalls etc. and no-one knows who is using the phone. So probably a preamble to requiring full ID when buying a phone or SIM so that the state can keep tabs on you...


https://en.wiktionary.org/wiki/green...27s_apostrophe



FU's set to to apihna, it needs the traffic.



--
Graham.

%Profound_observation%

  #12   Report Post  
Old November 2nd 18, 04:26 PM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Oct 2011
Posts: 368
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On 02/11/2018 14:02, MissRiaElaine wrote:
On 02/11/2018 02:01, Chris in Makati wrote:

For PAYG there's no point in asking for photo ID if you don't know who
originally purchased the SIM. Anyone can walk into a supermarket, buy
a SIM, and use it without having to register their name.


They should require registration before enabling a PAYG SIM. Orange used
to do this when they first started, after getting a phone you could only
ring CS to register, they then told you your number. This would also
stop the ludicrous business of millions of numbers sitting on shop
shelves that may well end up never being used.


There are plenty of ways to stop the ludicrous business of millions of
numbers sitting on shop shelves, without resorting to some form of
identity management.
  #13   Report Post  
Old November 2nd 18, 04:27 PM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Nov 2015
Posts: 97
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On 02/11/2018 02:01, Chris in Makati wrote:

For PAYG there's no point in asking for photo ID if you don't know who
originally purchased the SIM. Anyone can walk into a supermarket, buy
a SIM, and use it without having to register their name.


They should require registration before enabling a PAYG SIM. Orange used
to do this when they first started, after getting a phone you could only
ring CS to register, they then told you your number. This would also
stop the ludicrous business of millions of numbers sitting on shop
shelves that may well end up never being used.


I thought un activated PAYG SIMs eventually expired.
Moreover, I thought the telephone number wasn't allocated until
activation.

--
Graham.

%Profound_observation%
  #14   Report Post  
Old November 2nd 18, 08:35 PM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Jul 2018
Posts: 75
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On 02/11/2018 16:27, Graham. wrote:
On 02/11/2018 02:01, Chris in Makati wrote:

For PAYG there's no point in asking for photo ID if you don't know who
originally purchased the SIM. Anyone can walk into a supermarket, buy
a SIM, and use it without having to register their name.


They should require registration before enabling a PAYG SIM. Orange used
to do this when they first started, after getting a phone you could only
ring CS to register, they then told you your number. This would also
stop the ludicrous business of millions of numbers sitting on shop
shelves that may well end up never being used.


I thought un activated PAYG SIMs eventually expired.
Moreover, I thought the telephone number wasn't allocated until
activation.


Maybe it's not allocated, I don't know, but unused SIM cards do expire
after a few years. However, numbers still have to be generated.


--
Ria in Aberdeen

[Send address is invalid, use sipsoup at gmail dot com to reply direct]
  #15   Report Post  
Old November 3rd 18, 05:39 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Dec 2015
Posts: 86
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On Fri, 2 Nov 2018 14:02:04 +0000, MissRiaElaine
wrote:

On 02/11/2018 02:01, Chris in Makati wrote:

For PAYG there's no point in asking for photo ID if you don't know who
originally purchased the SIM. Anyone can walk into a supermarket, buy
a SIM, and use it without having to register their name.


They should require registration before enabling a PAYG SIM. Orange used
to do this when they first started, after getting a phone you could only
ring CS to register, they then told you your number. This would also
stop the ludicrous business of millions of numbers sitting on shop
shelves that may well end up never being used.


Those SIMs have a limited shelf-life, after which the numbers get
recycled.


  #16   Report Post  
Old November 3rd 18, 05:39 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Dec 2015
Posts: 86
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On Fri, 02 Nov 2018 16:27:00 +0000, Graham.
wrote:

On 02/11/2018 02:01, Chris in Makati wrote:

For PAYG there's no point in asking for photo ID if you don't know who
originally purchased the SIM. Anyone can walk into a supermarket, buy
a SIM, and use it without having to register their name.


They should require registration before enabling a PAYG SIM. Orange used
to do this when they first started, after getting a phone you could only
ring CS to register, they then told you your number. This would also
stop the ludicrous business of millions of numbers sitting on shop
shelves that may well end up never being used.


I thought un activated PAYG SIMs eventually expired.
Moreover, I thought the telephone number wasn't allocated until
activation.


That's certainly not the case with O2. I bought an O2 SIM a few weeks
ago and the numbers were printed in the package. I was able to browse
through them to pick a number I liked.

  #17   Report Post  
Old November 6th 18, 08:57 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Mar 2017
Posts: 69
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On 01/11/2018 10:04, R. Mark Clayton wrote:
On Thursday, 1 November 2018 09:40:37 UTC, Martin Nicholas wrote:
On Thu, 1 Nov 2018 02:13:29 -0700 (PDT) SB
wrote:

Giffgaff (run on O2) allow SIMs to be ordered online - no
questions asked. Wide open to fraudsters. CJB


Not to a SIM swap attack though.

-- Regards,

Martin Nicholas.

E-mail:


The issue is providers dishing out new SIM's on existing numbers,
which are then 'hi-jacked' by the fraudster.

A lot of SIM's have needed swapping recently because either a new
phone has a smaller slot or to gain access to 4G.

I would have thought however that the real subscriber would notice
when service ceased on the old SIM and their phone stopped working.


They will eventually and they should be sent a text when the switchover
occurs but several of the target phones that the testers used were not.

Is the network or the subscriber victim responsible for the losses that
arise from an inadequate two factor authentication by the bank leading
to theft of the phone number and access to the second factor code?

It tends to mostly affect light users on PAYG contracts who may go many
days without ever using their mobile if the amounts of spend per year
they claim to have are to be believed. They might notice no-one has rung
them up for a while but so rarely make an out going call that they are
only likely to notice a problem when their bank account is drained.

I suspect the real issue here is that it is very easy to obtain a
working [P&G] SIM on any network without any ID checks. Crim's can
then put them in second hand phones bought in market stalls etc. and
no-one knows who is using the phone. So probably a preamble to
requiring full ID when buying a phone or SIM so that the state can
keep tabs on you...


The problem stems from helpful sales people giving away SIMs on existing
numbers to plausible sob story cases without ever seeing the proper ID.
The weakness is one of human factors with the sales staff trying to be
too helpful in the face of clever social engineering attacks.

--
Regards,
Martin Brown
  #18   Report Post  
Old November 6th 18, 11:10 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Jun 2015
Posts: 266
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On Tuesday, 6 November 2018 08:57:15 UTC, Martin Brown wrote:
On 01/11/2018 10:04, R. Mark Clayton wrote:
On Thursday, 1 November 2018 09:40:37 UTC, Martin Nicholas wrote:
On Thu, 1 Nov 2018 02:13:29 -0700 (PDT) SB
wrote:

Giffgaff (run on O2) allow SIMs to be ordered online - no
questions asked. Wide open to fraudsters. CJB

Not to a SIM swap attack though.

-- Regards,

Martin Nicholas.

E-mail:


The issue is providers dishing out new SIM's on existing numbers,
which are then 'hi-jacked' by the fraudster.

A lot of SIM's have needed swapping recently because either a new
phone has a smaller slot or to gain access to 4G.

I would have thought however that the real subscriber would notice
when service ceased on the old SIM and their phone stopped working.


They will eventually and they should be sent a text when the switchover
occurs but several of the target phones that the testers used were not.

Is the network or the subscriber victim responsible for the losses that
arise from an inadequate two factor authentication by the bank leading
to theft of the phone number and access to the second factor code?


Strictly speaking the new subscriber. The real subscriber would counterclaim any suit for unpaid bills stating that they had not made calls nor authorised the issue of another SIM card to a different customer.


It tends to mostly affect light users on PAYG contracts who may go many
days without ever using their mobile if the amounts of spend per year
they claim to have are to be believed. They might notice no-one has rung
them up for a while but so rarely make an out going call that they are
only likely to notice a problem when their bank account is drained.


But on P&G SIM, one's maximum exposure is the credit on the SIM, not the hundreds one can get screwed for on a contract one.


I suspect the real issue here is that it is very easy to obtain a
working [P&G] SIM on any network without any ID checks. Crim's can
then put them in second hand phones bought in market stalls etc. and
no-one knows who is using the phone. So probably a preamble to
requiring full ID when buying a phone or SIM so that the state can
keep tabs on you...


The problem stems from helpful sales people giving away SIMs on existing
numbers to plausible sob story cases without ever seeing the proper ID.
The weakness is one of human factors with the sales staff trying to be
too helpful in the face of clever social engineering attacks.


One suspects that in many cases these are inside or even put up jobs in that how does the fraudster know what number to try and get a SIM for?


--
Regards,
Martin Brown


  #19   Report Post  
Old November 6th 18, 11:43 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Dec 2015
Posts: 86
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On Tue, 6 Nov 2018 08:57:10 +0000, Martin Brown
wrote:

On 01/11/2018 10:04, R. Mark Clayton wrote:
On Thursday, 1 November 2018 09:40:37 UTC, Martin Nicholas wrote:
On Thu, 1 Nov 2018 02:13:29 -0700 (PDT) SB
wrote:

Giffgaff (run on O2) allow SIMs to be ordered online - no
questions asked. Wide open to fraudsters. CJB

Not to a SIM swap attack though.

-- Regards,

Martin Nicholas.

E-mail:


The issue is providers dishing out new SIM's on existing numbers,
which are then 'hi-jacked' by the fraudster.

A lot of SIM's have needed swapping recently because either a new
phone has a smaller slot or to gain access to 4G.

I would have thought however that the real subscriber would notice
when service ceased on the old SIM and their phone stopped working.


They will eventually and they should be sent a text when the switchover
occurs but several of the target phones that the testers used were not.

Is the network or the subscriber victim responsible for the losses that
arise from an inadequate two factor authentication by the bank leading
to theft of the phone number and access to the second factor code?

It tends to mostly affect light users on PAYG contracts who may go many
days without ever using their mobile if the amounts of spend per year
they claim to have are to be believed. They might notice no-one has rung
them up for a while but so rarely make an out going call that they are
only likely to notice a problem when their bank account is drained.


There has to be more involved to draining a bank account than simply
replacing someone's SIM. For one thing, you'd need to obtain the bank
logon details and password as well. The text message is only used as
an additional check to verify the logon.

I suspect the real issue here is that it is very easy to obtain a
working [P&G] SIM on any network without any ID checks. Crim's can
then put them in second hand phones bought in market stalls etc. and
no-one knows who is using the phone. So probably a preamble to
requiring full ID when buying a phone or SIM so that the state can
keep tabs on you...


The problem stems from helpful sales people giving away SIMs on existing
numbers to plausible sob story cases without ever seeing the proper ID.
The weakness is one of human factors with the sales staff trying to be
too helpful in the face of clever social engineering attacks.


How would the phone shop know what a "proper ID" for their customer
was if they'd didn't know the name of the rightful owner in the first
place?

  #20   Report Post  
Old November 7th 18, 08:46 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Mar 2017
Posts: 69
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On 06/11/2018 11:43, Chris in Makati wrote:
On Tue, 6 Nov 2018 08:57:10 +0000, Martin Brown
wrote:

On 01/11/2018 10:04, R. Mark Clayton wrote:
On Thursday, 1 November 2018 09:40:37 UTC, Martin Nicholas wrote:
On Thu, 1 Nov 2018 02:13:29 -0700 (PDT) SB
wrote:

Giffgaff (run on O2) allow SIMs to be ordered online - no
questions asked. Wide open to fraudsters. CJB

Not to a SIM swap attack though.

-- Regards,

Martin Nicholas.

E-mail:

The issue is providers dishing out new SIM's on existing numbers,
which are then 'hi-jacked' by the fraudster.

A lot of SIM's have needed swapping recently because either a new
phone has a smaller slot or to gain access to 4G.

I would have thought however that the real subscriber would notice
when service ceased on the old SIM and their phone stopped working.


They will eventually and they should be sent a text when the switchover
occurs but several of the target phones that the testers used were not.

Is the network or the subscriber victim responsible for the losses that
arise from an inadequate two factor authentication by the bank leading
to theft of the phone number and access to the second factor code?

It tends to mostly affect light users on PAYG contracts who may go many
days without ever using their mobile if the amounts of spend per year
they claim to have are to be believed. They might notice no-one has rung
them up for a while but so rarely make an out going call that they are
only likely to notice a problem when their bank account is drained.


There has to be more involved to draining a bank account than simply
replacing someone's SIM. For one thing, you'd need to obtain the bank
logon details and password as well. The text message is only used as
an additional check to verify the logon.


Oh yes. I am assuming here that the miscreants have already got the
basic account number sort code and password somehow by another means.
Weak password or careless owner using "open" Wifi or malware compromised
machine being the obvious vectors for that interception. The phone
hijaack only works once the other parts are already in place by
defeating the supposedly secure 2FA security code sent by SMS.

I suspect the real issue here is that it is very easy to obtain a
working [P&G] SIM on any network without any ID checks. Crim's can
then put them in second hand phones bought in market stalls etc. and
no-one knows who is using the phone. So probably a preamble to
requiring full ID when buying a phone or SIM so that the state can
keep tabs on you...


The problem stems from helpful sales people giving away SIMs on existing
numbers to plausible sob story cases without ever seeing the proper ID.
The weakness is one of human factors with the sales staff trying to be
too helpful in the face of clever social engineering attacks.


How would the phone shop know what a "proper ID" for their customer
was if they'd didn't know the name of the rightful owner in the first
place?


That's the problem with PAYG SIMs being given away like confetti at
supermarket checkouts.

--
Regards,
Martin Brown


Reply
Thread Tools
Display Modes

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Do the FreeIpods, FreeFlatScreens, FreeHandBags "scams" really work? ryoma UK Mobile Phones 1 October 5th 07 05:32 PM
Vodafone PAYT Staff Sim Cards Charlie Mitchell Marketplace 0 August 17th 06 01:33 AM
Enabling MMS on O2 online talkalot + wap settings ?? mig UK Mobile Phones 2 December 26th 03 06:16 AM


All times are GMT. The time now is 03:33 PM.

Powered by vBulletin® Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright 2004-2018 Mobile Banter.
The comments are property of their posters.
 

About Us

"It's about UK mobile phones"

 

Copyright © 2017