Banks urged to review security after ‘sim swap’ attacks

Data Solutions chief warns of vulnerabilities arising from sophisticated hack attack

Central Bank: Dave Keating, head of security at Dublin-based Data Solutions, said it is only a matter of time before we see sim swap fraud happening in Ireland and “ultimately it is the Central Bank’s job to ensure banks here are set up to protect against it”.

Central Bank: Dave Keating, head of security at Dublin-based Data Solutions, said it is only a matter of time before we see sim swap fraud happening in Ireland and “ultimately it is the Central Bank’s job to ensure banks here are set up to protect against it”.

 

Irish banks have been urged to review security procedures following a spate of “sim swap fraud” attacks in the United Kingdom.

The warning comes after a number of customer accounts were successfully broken into by criminals in Britain who successfully diverted mobile phone accounts. In one such incident, a woman from Bristol found herself out of pocket by more than £6,000 (€7,780) after fraudsters were able to “swap” or “split” her SIM card.

Following a number of reports on such incidents, journalists working for BBC Radio 4’s You and Yours programme recently copied the tactics used by criminals and were able to successfully remove money from an individual’s account.

Sim swapping or splitting, as it is also known, is a sophisticated type of phishing attack that is becoming increasingly popular.

According to the City of London’s National Fraud Intelligence Bureau, fraudsters obtain banking account details and mobile numbers through phishing or malware. They then use this information to open a bank account in the victim’s name, something which is usually easy to do because less rigorous checks tend to apply if an account holder is already a customer.

The new account is then linked to a new mobile phone account, which is also set up in the victim’s name. A new SIM is applied for and once activated, a fraudster will ask the bank to remind them of their security details. Once activation codes are sent, funds are transferred over from the victim’s original bank account into the new one and then immediately withdrawn.

Victims are often unaware their security details have been compromised and may only find out there is something awry when their mobile phone goes dead as the account is switched to the new mobile.

NatWest, which is owned by Ulster Bank’s parent Royal Bank of Scotland, said it intended to update security systems across its network following the successful attack by the BBC’s journalists.

Dave Keating, head of security at Dublin-based Data Solutions, has warned that banks here are also potentially vulnerable to the same type of attack and has called on them to urgently review their systems to ensure customers are protected.

“Hackers are continually coming up with new ways to get around protection that businesses put in place and this latest hack is one that is undermining the one-time password or PIN authentication method, which has proven popular in recent years.

“It is only a matter of time before we see sim swap fraud happening here and ultimately it is the Central Bank’s job to ensure banks here are set up to protect against it,” he added.

Mr Keating said that with trust undermined, banks will have to make a call on whether it needs to introduce stricter security procedures.

The Central Bank told The Irish Times it was not aware of any reports of sim swap fraud having occurred in Ireland.

How to protect yourself against sim swap fraud

1) Always make sure you have suitable anti-virus software installed and that your firewall is switched on.

2) Always consider what you are downloading – do not open files from unknown sources.

3) Be wary of “pop-ups” requesting unsolicited downloads.

4) If you discover a virus on your computer, disconnect from the internet immediately and ask a specialist for advice.

5) When creating a password, try not to use the same password for more than one account. This will prevent further accounts being taken over if one has been compromised.

6) Use complicated passwords: vary the case, use eight or more characters. Never use personal information such as names or dates of birth.

7) Try not to post information on social media such as your birth date, your first pet, or school as these are normally included in security questions to reset your password.

8) Fraudsters may use these answers to access your account via the “Forgot Password” link.

Source: NFIB