2FA through sms or similar methods is a melody of the past that will cause many problems.
At work, we had a contract related to a small bank and a bank client who was robbed of quite large amounts.
The bank sent authorization codes via sms to the customer’s number. On the other hand, criminals were able to obtain duplicate SIM cards at GSM customer service points without major problems and documents. The prosecutor is of the opinion that several employees of the gsm operator took bribes for turning a blind eye to the procedures for inserting duplicate sim cards. The problem is that the victim is unaware that a duplicate SIM card is active in the wild. Criminals collect data on potential victims in various ways and attack selected targets.
On July 13 a client of the Bank, whom we will call Thomas, came to us. Very large sums of money were withdrawn from the Thomas company account by SORBNET express transfer (the account was virtually cleared to zero). In this case, the pace of events was interesting. Thomas and his wife noticed a SIM card failure in the phone, and 40 minutes later the bank contacted them asking for suspicious transactions.
Despite such rapid reaction of the Bank’s employees, the money disappeared and the bank promised Thomas a response to the complaint within 30 days (or even 60 days if the case turned out to be complicated). Let’s give voice to Thomas:
I was robbed for very large sums of money. Several unauthorized transfers. Of course, the matter was detected by the Bank in a few moments (I received a phone call from the Bank - I think I have no certainty, I have suspicion) and a question about the phone failure and whether I made large transfers.
On the information that yes the failure of my wife’s sim card occurred about 40 minutes ago and that I did not make transfers or my wife, I received information about the fact of probably hacking our account and a recommendation that I should also report it urgently to the Police.
After checking the account, I found that all our money flowed from the account by two express transfers. Really big. Several hundred thousand. Within half an hour later, I was already at the Police and, even while still at the Police, during the notification process, I simultaneously submitted a complaint via the official channel on the Bank’s hotline.
Yesterday afternoon, the spouse received a duplicate SIM card in the customer’s salon because the phone still did not work. I associated the fact of asking a Bank employee about a telephone failure and checked when a duplicate had been made before. It turned out that it was performed yesterday half an hour before the money was transferred. Unfortunately, the GSM employee did not want (probably could not) provide me with information where, at what point of customer service and on what basis the duplicate was issued. He informed me that the prosecutor’s office must address this.
What an irony of fate, thieves surprisingly easily extort something by impersonating a client, and then a real client is denied information about activities performed on his behalf. We asked GSM whether information about receiving a SIM card should be given, and if not, why? A GSM spokesperson believes that this could have been an employee’s mistake.
We have no internal guidelines regarding the provision or not of information to the customer about issuing a SIM card. If the customer is verified in accordance with our standard, he should receive such information. Not knowing the details of this particular case, I cannot answer whether our advisor made a mistake or, e.g. the client did not provide sufficient information for correct verification.
The thief somehow obtained the victim’s login and password to the bank. It is not known how: whether it was malware on the victim’s computer or phishing.
Note that in the case of real banking Trojans, after the victim’s computer has been infected, the criminal does not need access to his telephone. In most cases, the “Man in the Browser” attack is enough, which means waiting for the victim to order some payment and change the amount and / or destination account in the background. It is connected with the risk of slip-up - the Bank informs in the SMS about the amount and the target account of the transaction. Perhaps the criminals, seeing large sums on the victim’s account, did not want to risk mishaps and “burning” such a rich client.
On the other hand, in the case of phishing, if the victim was naïve enough to provide a login and password, they are usually asked to rewrite the code from the SMS and the victims do so. Such an attack requires, however, in most cases manual operation and perhaps the criminals after stealing the password simply failed to order the transaction and receive the code from the SMS.
The duplicate SIM card was extorted in another city, at a physical customer service point, and the thief used a fake ID (so-called collector cards can be ordered online for around $ 77).
We will notice that if criminals had time to counterfeit or order an ID, it means that they had known the login and password for a long time.
The money from the Thomas account was first transferred to the account of another bank, and from there it was supposed to go to the BitBay cryptocurrency exchange. However, the transfer was stopped in time.
All in all, only the Bank’s quick response saved Thomas from losing cash. And although the money left the bank, and the Bank mentioned 60 days of considering the complaint, it was finally blocked in another bank and as we can see from our conversation with Thomas, it has already been returned. In less than 10 days. This means that the cooperation on the Bank-other bank-BitBay line was very efficient.
We don’t know what caused the Bank employee to call Thomas. Whether the decisive factor in flagging the transaction was the transfer of a large amount by fast transfer, transfer to an unknown account, or maybe performing these operations from the new IP address.
Theft from the bank because T-Mobile issued a duplicate SIM card. In January, a woman came to us whose bank account had been robbed because T-Mobile gave the thieves a duplicate of her SIM card. Interestingly, here the scammer extorted a duplicate at a “physical” customer service point, not on the basis of a fake ID, but on the basis of a notary authorization (of course, counterfeit). To make it funnier, the notary indicated on the authorization did not even exist, and besides, the woman’s ID number did not match the one given on the authorization.
The thief using the duplicate SIM card obtained “start codes” and login to the bank account. The thief most likely pretended on the bank’s hotline that he had forgotten his login details and requested to be re-sent / reminded.
After the theft of funds from a bank account, the criminal also tried to get to the other woman’s account in another bank, without success. Thanks to the acquaintances, information was obtained in which customer service point the SIM card was received. Apparently, this was not the only case at this particular point of customer service. But this is not the end of shocking information about this incident. Sit comfortably.
The woman’s daughter did the same as the thieves … At the time the theft occurred, the woman was abroad. She left her phone with her daughter. The daughter, unaware of the theft, one day noticed that the SIM card in the phone stopped working. So she called the T-Mobile customer service, pretended to be her mother and asked to send a new SIM card by courier to the address of her company (not related to her mother). The courier who arrived with a duplicate card did not check daughter’s documents and gave her a package with a SIM card. When asked whether an ID card would be needed to collect the package, the courier was surprised to reply that “absolutely, there is no need, because the sender of the package does not require it”.
This is amazing! The daughter of the victim of the SIM card fraud has extorted the SIM card herself to help her mother.
She discovers how easy it was to rob her. When the woman returned to the country, she could not get into her account (the fraudster changed password). So the woman obtained starting codes by calling the bank’s helpline. Then she discovered how she was robbed. The procedure required answering three questions regarding personal data.
first three digits of ID,
method of transfer authorization - sms or token ?,
correspondence address.
Where did the thief get this information? Well, the victim’s details, ID and address were in a public register, so the scammer simply read them. Just like any of you could do. When it comes to the method of authorization of transfers, it is quite obvious that most people use SMS authorization.
Despite these shortcomings, the Bank refused to accept the complaint. The bank offered a settlement only when the woman went to court.
Of course, we asked both T-Mobile and the Bank about this matter. In particular, we wanted to confirm whether, for example, several cases of SIM card fraud were recorded in this one customer service point, or whether getting start codes from the bank’s hotline is actually so simple. We gave both companies a lot of time to answer, but for half a year we didn’t receive a response.
Making a duplicate of the SIM card and using it to steal money is also popular abroad. Already in 2013, such attacks were pointed out as becoming more and more popular… Motherboard wrote about the “SIM swap fraud” problem. Interestingly, criminals are taking over not only bank accounts.
You should know that the takeover of someone else’s number by a clone of the SIM card can mean not only clearing the bank account but also taking over other accounts, generally wherever SMS acts as an element of authorization or authentication.