Are banks answering the call on mobile phone security?
Reliance on mobile phones for online payments could leave us vulnerable
If someone can get into your phone, they essentially have your entire life at their fingertips – and access to all your accounts. Bank of Ireland’s advice is to use a second email address for social media, not the one that is attached to your online banking details, to add an extra layer of security. Photograph: Thomas Coex/AFP/Getty Images
Mobile phones have become an integral part of our lives, replacing everything from face-to-face interaction to good old maps as they become increasingly powerful. They are the hub of social lives through Facebook and other social networks, chat apps and email. They are work tools, creative hubs, entertainment, research and payments, all in one handy device.
In recent months, your mobile phone has become a digital wallet of sorts, allowing you to make payments online or in shops without having to physically have a card or cash on you.
However, the over-reliance on our mobile phones could potentially leave us vulnerable.
There have been plenty of warnings about the dangers of giving away too much on social media. Location services that identify your home, for example, or posts on social media that could alert people that you are away from home for significant periods of time. If someone can get into your phone, they essentially have your entire life at their fingertips – and access to all your accounts.
While mobile manufacturers have implemented new security procedures, such as biometrics, with fingerprints, and alphanumeric passcodes to protect the software on your phone, there are new threats emerging all the time that would allow malicious users to bypass such safeguards.
That has been helped in no small part by a growing trend towards using your mobile phone number as a way to recover passwords and regain access to your accounts.
“What everyone has done now, Twitter, Google, Tumblr, all these accounts have switched to sending a one-time password in an SMS to your phone,” said Colin Larkin, founder and chief executive of mobile data security company MoQom.
“Everyone has started using their mobile phone number as a security device. It was never intended for that.”
If your phone suddenly dropped service, would you think anything of it? Even if it continued for longer than a few minutes, you might put it down to a bad signal area, or a congested network.
However, it could be something more sinister than that. An emerging threat is sim swap fraud, a phishing attack that effectively hijacks a mobile phone account.
Sim swapping is a legitimate action that mobile phone networks offer to customers if they lose their sim card, for example, want to change to a different-sized sim card with a new phone, or want to change network but keep their number. It essentially takes the existing mobile number and moves it to a new sim card. Where the problem occurs is if it is done fraudulently.
Sim swap fraud occurs when someone impersonates the legitimate owner of the mobile number. To activate the sim card, they have to get past the mobile networks’ security procedures, which will require some personal details.
“Social engineering is so easy to do. Within minutes you can have enough information about any person to impersonate them, go online and get a new sim card by convincing someone you are genuine,” said Larkin.
Once the new sim card has been activated, anything linked to that phone number – your email account, even your banking services – can be compromised.
“Sim swap is effective in the financial services sector because hackers have enough knowledge on you,” said Larkin. “They’ve already got into your accounts. If they’re looking to do a sim change on your phone, they’re already actively in your accounts.”
War on fraud
Banks have been waging a war on fraud since online and mobile banking services took off. AIB, for example, requires users to have a card reader for their debit cards to make any transfers outside of their nominated accounts. And even then, financial institutions will limit the amount of money you can electronically transfer outside your own accounts in a single day.
The banks also advise consumers to be aware of the potential for fraud. Bank of Ireland’s advice is to use a second email address for social media, not the one that is attached to your online banking details, to add an extra layer of security.
According to the Central Bank, sim swap hasn’t yet been seen in Ireland – or has not been reported, at least. But there are fears that it is only a matter of time before the scams start to pop up here, with a rise in the number of incidents in the UK.
In March, Irish banks were urged to review their security procedures as a number of sim swap attacks were discovered in Britain. It’s hitting ordinary consumers, with one woman in Bristol finding herself £6,000 down. BBC journalists then carried out their own investigation and, employing tactics used by the scam artists, managed to gain access to bank accounts.
On this side of the Irish Sea, mobile networks are also reasonably confident it isn’t much of a threat. They have a set of procedures in place to prevent unauthorised users gaining access to sim cards, with some implementing a password system – without the password, you can’t make changes to the account.
Three, which is the second-largest network in the country, said it took protection of customer data “very seriously” and had strict policies in place to prevent fraudulent activity and unauthorised access.
“All requests to make account changes require the person to provide a range of details in order to verify their identity. Failure to do so will result in the request being declined,” the network said.
However, that’s where social engineering comes in. Armed with enough personal details and a faked utility bill, a fraudster could put up a convincing argument.
A recent report into sim swap fraud warned that Ireland’s banking services could be at risk of such attacks, with only one – Bank of Ireland – showing evidence of a specific defence against sim swap attacks. Others, such as AIB, have implemented two-factor authentication that while not specifically defending against sim swap fraud would provide an additional layer of security.
More worrying for consumers is the fine print written into the terms and conditions of services that could push the responsibility for preventing fraud back on to unsuspecting consumers. On the face of it, consumers could be held liable if their mobile phone – a security device – was compromised.
But even though the terms and conditions may push the onus back on to the consumer, Fintech Ireland director Peter Oakes says there is still some protection afforded to service users by consumer protection codes that banks have to abide by.
“Ireland is very much a black-letter-law country,” he said, noting that the disclaimers were usually included as a barrier to reject complaints or compensation. “But regulators will require that customers are treated fairly. Was the consumer aware that there was the potential for fraud? Were the banks aware and was there anything more they could have done?
Ireland has always been very conservative, he said.
Should consumers rely on the code of protection? Like with your PC security, prevention is better than cure. And if there is one thing that you can be sure of, it’s that the online criminals trying to empty your accounts aren’t slowing down.
Malware discovered earlier this year, called Mazar, could make the process even easier for thieves. The software, which mainly affected Android phones, was spread through a link sent in a message claiming to be a multimedia message, and installed Tor software on the handset. That gave malicious users access to the phones, including text messages, which would allow them to intercept banking security messages without a user’s knowledge.
“Vigilance is something that has to happen all the time ,” said Oakes. “Consumers need to be aware of the potential types of fraud.” However, he acknowledged that it was becoming increasingly difficult for consumers.
Stay safe: Tips for avoiding security breaches
Be wary of emails and texts: don’t open or forward messages you emails or texts you suspect might be spam or phishing attempts. That includes messages in WhatsApp or similar apps.
Keep your phone’s operating software up to date.
Consider getting anti-virus protection for your phone.
Beware of unsolicited texts and calls asking for information. If the person claims to be from your bank. Decline the call, check that the call has terminated properly, and contact your bank’s customer service number to enquire about the previous contact.
Ask your mobile phone company about what other security steps you can implement to prevent your number being diverted without permission.
Watch your apps: remember that every mobile app on your phone generally has access to some of your phone’s features, such as email, texts, social media apps, contacts, pictures and other files. Steer clear of unfamiliar app markets.
Be very careful what personal details you share on social media.
If your mobile phone service stops unexpectedly, you should notify your bank. However, with mobile phone outages and drop-outs becoming more and more common as networks become congested, this is a tricky one.
If you need to get your phone repaired, remove the sim card and memory card. Consider deleting any banking and social media apps where your personal data may be stored. It’s better to be safe than sorry.
Be wary of letting your children download games on your phone. That hot new ‘must have’ kids game app with the cute characters might be pulling off a cyber robbery.