UK Mobile Phones (uk.telecom.mobile) Mobile telephone equipment and networks.

Reply
 
LinkBack Thread Tools Display Modes
  #21   Report Post  
Old November 8th 18, 03:41 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Dec 2015
Posts: 86
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On Wed, 7 Nov 2018 08:46:47 +0000, Martin Brown
wrote:

On 06/11/2018 11:43, Chris in Makati wrote:
On Tue, 6 Nov 2018 08:57:10 +0000, Martin Brown
wrote:

On 01/11/2018 10:04, R. Mark Clayton wrote:
On Thursday, 1 November 2018 09:40:37 UTC, Martin Nicholas wrote:
On Thu, 1 Nov 2018 02:13:29 -0700 (PDT) SB
wrote:

Giffgaff (run on O2) allow SIMs to be ordered online - no
questions asked. Wide open to fraudsters. CJB

Not to a SIM swap attack though.

-- Regards,

Martin Nicholas.

E-mail:

The issue is providers dishing out new SIM's on existing numbers,
which are then 'hi-jacked' by the fraudster.

A lot of SIM's have needed swapping recently because either a new
phone has a smaller slot or to gain access to 4G.

I would have thought however that the real subscriber would notice
when service ceased on the old SIM and their phone stopped working.

They will eventually and they should be sent a text when the switchover
occurs but several of the target phones that the testers used were not.

Is the network or the subscriber victim responsible for the losses that
arise from an inadequate two factor authentication by the bank leading
to theft of the phone number and access to the second factor code?

It tends to mostly affect light users on PAYG contracts who may go many
days without ever using their mobile if the amounts of spend per year
they claim to have are to be believed. They might notice no-one has rung
them up for a while but so rarely make an out going call that they are
only likely to notice a problem when their bank account is drained.


There has to be more involved to draining a bank account than simply
replacing someone's SIM. For one thing, you'd need to obtain the bank
logon details and password as well. The text message is only used as
an additional check to verify the logon.


Oh yes. I am assuming here that the miscreants have already got the
basic account number sort code and password somehow by another means.
Weak password or careless owner using "open" Wifi or malware compromised
machine being the obvious vectors for that interception. The phone
hijaack only works once the other parts are already in place by
defeating the supposedly secure 2FA security code sent by SMS.

I suspect the real issue here is that it is very easy to obtain a
working [P&G] SIM on any network without any ID checks. Crim's can
then put them in second hand phones bought in market stalls etc. and
no-one knows who is using the phone. So probably a preamble to
requiring full ID when buying a phone or SIM so that the state can
keep tabs on you...

The problem stems from helpful sales people giving away SIMs on existing
numbers to plausible sob story cases without ever seeing the proper ID.
The weakness is one of human factors with the sales staff trying to be
too helpful in the face of clever social engineering attacks.


How would the phone shop know what a "proper ID" for their customer
was if they'd didn't know the name of the rightful owner in the first
place?


That's the problem with PAYG SIMs being given away like confetti at
supermarket checkouts.


I'm not really sure what the BBC program was thinking should happen.
They made it appear that shops were being negligent by not asking for
photo ID, but in reality this wouldn't actually solve the problem in
many cases.

By the way, which banks still use SMS for two-factor authentication?

I know that HSBC, NatWest, Nationwide, Halifax, Barclays, and
Santander all do 2FA either using a security device or by generating a
code using their mobile app.

SMS 2FA seems to be somewhat obsolescent now.


  #22   Report Post  
Old November 8th 18, 03:41 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Dec 2015
Posts: 86
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On Thu, 1 Nov 2018 01:13:32 -0700 (PDT), C
wrote:

On Wednesday, 31 October 2018 20:01:32 UTC, Java Jive wrote:
"Mobile phone shop staff 'enabling Sim swap scams'

Staff in mobile phone shops have become key to the execution of "Sim
swap" scams, Watchdog Live has discovered.

Undercover filming revealed that O2 and Vodafone employees are bypassing
basic ID checks and handing over replacement Sim cards to potential
criminals.

Once fraudsters gain control of a mobile number, they can intercept SMS
text messages from banks containing security codes.

Scammers have drained thousands of pounds from victims' bank accounts."

https://www.bbc.co.uk/news/business-46047714


Whenever we have an issue with Giffgaff - which uses the O2 network - they ALWAYS suggest a SIM swap even if issues relate to the network. Now we know why. What a fraud. CJB


Where's the fraud?

You can't walk into a Giffgaff shop to get a replacement SIM because
they don't have shops.

  #23   Report Post  
Old November 8th 18, 11:36 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Mar 2017
Posts: 28
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On 08/11/2018 03:41, Chris in Makati wrote:
On Wed, 7 Nov 2018 08:46:47 +0000, Martin Brown
wrote:

On 06/11/2018 11:43, Chris in Makati wrote:
On Tue, 6 Nov 2018 08:57:10 +0000, Martin Brown
wrote:

On 01/11/2018 10:04, R. Mark Clayton wrote:
On Thursday, 1 November 2018 09:40:37 UTC, Martin Nicholas wrote:
On Thu, 1 Nov 2018 02:13:29 -0700 (PDT) SB
wrote:

Giffgaff (run on O2) allow SIMs to be ordered online - no
questions asked. Wide open to fraudsters. CJB

Not to a SIM swap attack though.

-- Regards,

Martin Nicholas.

E-mail:

The issue is providers dishing out new SIM's on existing numbers,
which are then 'hi-jacked' by the fraudster.

A lot of SIM's have needed swapping recently because either a new
phone has a smaller slot or to gain access to 4G.

I would have thought however that the real subscriber would notice
when service ceased on the old SIM and their phone stopped working.

They will eventually and they should be sent a text when the switchover
occurs but several of the target phones that the testers used were not.

Is the network or the subscriber victim responsible for the losses that
arise from an inadequate two factor authentication by the bank leading
to theft of the phone number and access to the second factor code?

It tends to mostly affect light users on PAYG contracts who may go many
days without ever using their mobile if the amounts of spend per year
they claim to have are to be believed. They might notice no-one has rung
them up for a while but so rarely make an out going call that they are
only likely to notice a problem when their bank account is drained.

There has to be more involved to draining a bank account than simply
replacing someone's SIM. For one thing, you'd need to obtain the bank
logon details and password as well. The text message is only used as
an additional check to verify the logon.


Oh yes. I am assuming here that the miscreants have already got the
basic account number sort code and password somehow by another means.
Weak password or careless owner using "open" Wifi or malware compromised
machine being the obvious vectors for that interception. The phone
hijaack only works once the other parts are already in place by
defeating the supposedly secure 2FA security code sent by SMS.

I suspect the real issue here is that it is very easy to obtain a
working [P&G] SIM on any network without any ID checks. Crim's can
then put them in second hand phones bought in market stalls etc. and
no-one knows who is using the phone. So probably a preamble to
requiring full ID when buying a phone or SIM so that the state can
keep tabs on you...

The problem stems from helpful sales people giving away SIMs on existing
numbers to plausible sob story cases without ever seeing the proper ID.
The weakness is one of human factors with the sales staff trying to be
too helpful in the face of clever social engineering attacks.

How would the phone shop know what a "proper ID" for their customer
was if they'd didn't know the name of the rightful owner in the first
place?


That's the problem with PAYG SIMs being given away like confetti at
supermarket checkouts.


I'm not really sure what the BBC program was thinking should happen.
They made it appear that shops were being negligent by not asking for
photo ID, but in reality this wouldn't actually solve the problem in
many cases.

By the way, which banks still use SMS for two-factor authentication?

I know that HSBC, NatWest, Nationwide, Halifax, Barclays, and
Santander all do 2FA either using a security device or by generating a
code using their mobile app.

SMS 2FA seems to be somewhat obsolescent now.


Santander still use SMS for 2-factor authentication for the web site.

Dave
  #24   Report Post  
Old November 8th 18, 03:35 PM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Jul 2018
Posts: 75
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On 08/11/2018 03:41, Chris in Makati wrote:

Where's the fraud?

You can't walk into a Giffgaff shop to get a replacement SIM because
they don't have shops.


Yes they do, every supermarket checkout.


--
Ria in Aberdeen

[Send address is invalid, use sipsoup at gmail dot com to reply direct]
  #25   Report Post  
Old November 8th 18, 05:44 PM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Oct 2011
Posts: 368
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On 08/11/2018 15:35, MissRiaElaine wrote:
On 08/11/2018 03:41, Chris in Makati wrote:

Where's the fraud?

You can't walk into a Giffgaff shop to get a replacement SIM because
they don't have shops.


Yes they do, every supermarket checkout.


Not where they carry out SIM swaps....


  #26   Report Post  
Old November 17th 18, 04:15 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Dec 2015
Posts: 86
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On Thu, 8 Nov 2018 11:36:11 +0000, David Wade
wrote:

On 08/11/2018 03:41, Chris in Makati wrote:
On Wed, 7 Nov 2018 08:46:47 +0000, Martin Brown
wrote:

On 06/11/2018 11:43, Chris in Makati wrote:
On Tue, 6 Nov 2018 08:57:10 +0000, Martin Brown
wrote:

On 01/11/2018 10:04, R. Mark Clayton wrote:
On Thursday, 1 November 2018 09:40:37 UTC, Martin Nicholas wrote:
On Thu, 1 Nov 2018 02:13:29 -0700 (PDT) SB
wrote:

Giffgaff (run on O2) allow SIMs to be ordered online - no
questions asked. Wide open to fraudsters. CJB

Not to a SIM swap attack though.

-- Regards,

Martin Nicholas.

E-mail:

The issue is providers dishing out new SIM's on existing numbers,
which are then 'hi-jacked' by the fraudster.

A lot of SIM's have needed swapping recently because either a new
phone has a smaller slot or to gain access to 4G.

I would have thought however that the real subscriber would notice
when service ceased on the old SIM and their phone stopped working.

They will eventually and they should be sent a text when the switchover
occurs but several of the target phones that the testers used were not.

Is the network or the subscriber victim responsible for the losses that
arise from an inadequate two factor authentication by the bank leading
to theft of the phone number and access to the second factor code?

It tends to mostly affect light users on PAYG contracts who may go many
days without ever using their mobile if the amounts of spend per year
they claim to have are to be believed. They might notice no-one has rung
them up for a while but so rarely make an out going call that they are
only likely to notice a problem when their bank account is drained.

There has to be more involved to draining a bank account than simply
replacing someone's SIM. For one thing, you'd need to obtain the bank
logon details and password as well. The text message is only used as
an additional check to verify the logon.

Oh yes. I am assuming here that the miscreants have already got the
basic account number sort code and password somehow by another means.
Weak password or careless owner using "open" Wifi or malware compromised
machine being the obvious vectors for that interception. The phone
hijaack only works once the other parts are already in place by
defeating the supposedly secure 2FA security code sent by SMS.

I suspect the real issue here is that it is very easy to obtain a
working [P&G] SIM on any network without any ID checks. Crim's can
then put them in second hand phones bought in market stalls etc. and
no-one knows who is using the phone. So probably a preamble to
requiring full ID when buying a phone or SIM so that the state can
keep tabs on you...

The problem stems from helpful sales people giving away SIMs on existing
numbers to plausible sob story cases without ever seeing the proper ID.
The weakness is one of human factors with the sales staff trying to be
too helpful in the face of clever social engineering attacks.

How would the phone shop know what a "proper ID" for their customer
was if they'd didn't know the name of the rightful owner in the first
place?

That's the problem with PAYG SIMs being given away like confetti at
supermarket checkouts.


I'm not really sure what the BBC program was thinking should happen.
They made it appear that shops were being negligent by not asking for
photo ID, but in reality this wouldn't actually solve the problem in
many cases.

By the way, which banks still use SMS for two-factor authentication?

I know that HSBC, NatWest, Nationwide, Halifax, Barclays, and
Santander all do 2FA either using a security device or by generating a
code using their mobile app.

SMS 2FA seems to be somewhat obsolescent now.


Santander still use SMS for 2-factor authentication for the web site.


You don't use SMS 2FA for logging into the web site. You log in with
selected characters taken from your Security Number and Password.

SMS 2FA is only used for things like adding new payees, but in order
to get that far you would have had to log into the account in the
first place. Hijacking someone's phone wouldn't get you anywhere.

  #27   Report Post  
Old November 17th 18, 04:15 AM posted to uk.telecom.mobile
external usenet poster
 
First recorded activity by MobileBanter: Dec 2015
Posts: 86
Default "Mobile phone shop staff 'enabling Sim swap scams'"

On Thu, 8 Nov 2018 15:35:11 +0000, MissRiaElaine
wrote:

On 08/11/2018 03:41, Chris in Makati wrote:

Where's the fraud?

You can't walk into a Giffgaff shop to get a replacement SIM because
they don't have shops.


Yes they do, every supermarket checkout.


You can buy a new SIM in a supermarket, but not replace an existing
one, which is what this issue is about.

Like I said, Giffgaff don't have physical stores where you can walk in
a get a replacement SIM as you can with other network providers.


Reply
Thread Tools
Display Modes

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Do the FreeIpods, FreeFlatScreens, FreeHandBags "scams" really work? ryoma UK Mobile Phones 1 October 5th 07 05:32 PM
Vodafone PAYT Staff Sim Cards Charlie Mitchell Marketplace 0 August 17th 06 01:33 AM
Enabling MMS on O2 online talkalot + wap settings ?? mig UK Mobile Phones 2 December 26th 03 06:16 AM


All times are GMT. The time now is 04:27 PM.

Powered by vBulletin® Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright 2004-2018 Mobile Banter.
The comments are property of their posters.
 

About Us

"It's about UK mobile phones"

 

Copyright © 2017