SIM Swap Fraud Solution which India should Adapt By Prashant Mali

SIM Swap or SIM Exchange Fraud Solution which India should Adapt
By Prashant Mali
Being a long-time crusader of SIM swap fraud victims in India and winning many cases in favour of victims, I thought of penning this advice.  Sim Exchange fraud or Sim Hijacking fraud (also known as Port-Out scam or SIM splitting) is a type of account takeover fraud that generally targets a weakness in two-factor authentication & two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. In 2018, over 80% of adults were expected to have a bank account, over 1.18 billion people own a mobile phone in India


How SIM Swap Fraud works?

Fraudsters obtain banking account details and your registered mobile number through phishing or through Trojans/Malware or through a leaked database.

Under the pretext of losing the mobile handset, new handset or damaged SIM card, fraudster approaches mobile service provider using a forged authority letter and forged KYC document there by creating a fake identity of genuine customer

Post customer verification, mobile service provider will deactivate or block the old SIM card in the mobile phone which is in customer’s possession and issue a new SIM card to the fraudster. There will be no network on customer’s handset. This done generally on weekends to fraudsters get time before the customer complains Now, customer will not receive any SMS, information such as alerts, OTP, URN etc. on the phone

With the banking details stolen through phishing or Trojan/Malware or via leaked database in darknet fraudster will access and operate customers account and initiate financial transactions which customer will not be aware of and all the SMS for alerts, payment confirmation etc. will go to the fraudster

Solution
SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim's banking credentials, or by using the phone number as a password reset fallback. So the phone company has to offer a straightforward fix: The telecom carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled, that window of time let them report the crime before fraudsters could take advantage.
After UK and Australia, by August of 2018, Mozambique's largest bank was performing SIM swap checks with all the major carriers. which reduced their SIM swap fraud to nearly zero overnight. Mozambique isn't alone in implementing that fix for the growing epidemic of SIM swap fraud, which is increasingly used for everything from hijacking Instagram accounts to stealing cryptocurrency. Companies in other countries across Africa, including Nigeria, South Africa, and Kenya—where the prevalence of mobile payments have made SIM swaps a particularly serious threat—have put similar carrier-checking remedies in place. 

How the solution can work
All mobile operators in Indian can make an Anti-SIM swap platform available to the banks on a private API that flags up if there was a SIM swap involving a specific mobile number associated with a bank account over a predefined period. The bank then decides what to do next.

Most banks can block any transaction from a mobile number that has undergone a SIM card change within the last 48 hours, while others opt for a longer period of 72 hours. This period of 48-72 hours is considered a safe period during which the subscriber will contact their operator if they have fallen victim to an unauthorized SIM card change.

There’s also the possibility that the mobile owner has legitimately changed their SIM card, and therefore unable to perform an online transaction for the next 48 hours. In such cases, some of the banks can have a process that requires face-to-face verification in a branch office – a reasonable compromise in the circumstances.

Anti-SIM swap Platform workflow
The banks are connected to different mobile operators through a VPN connection so that all traffic is secure.
The online banking system conducts a REST API query to the respective mobile operator giving the mobile number (MSISDN) and the period (24-72 hours) as arguments.
The mobile operator simply returns in real-time: True or False.
If the query is False, the bank allows the transaction as normal. If True, the bank blocks the transaction and may request additional steps to verify the transaction. It is important to reiterate that the mobile operator should not share personal identifiable information (PII) with a third party, in this case, banks. 

Once the platform is implemented, the level of online banking fraud stemming from SIM swap attacks should fell dramatically, there can be almost no cases involving banks that implement the anti-SIM swap platform. 

Other Solution
Australian banks such as Commonwealth Bank, NAB, Macquarie Bank and Westpac have tackled SIM hijacking from another angle. The banks get a data feed from a company, Paradigm.one, that collects real-time porting data, such as when a number moves from carrier A to carrier B.


A recent SIM change may be viewed as an increased risk if an account has also attempted to suddenly initiate a high-value transaction. Using other metrics, such as device fingerprinting and geolocation, banks can decide whether to reject transactions and suspend accounts. Paradigm.one's system has its limitations, though, as it doesn't collect data for certain types of SIM changes.

Alternative measures to be explored include the use of additional in-device authentication software, such as Google Authenticator or a two-factor authentication device such as a YubiKey.

Extra Links
1. SIM SWAP FRAUD explained in HINDI Language on ABP News, Youtube Video
2. SIM SWAP Fraud Explained in MARATHI Language on ABP Majha News, Youtube Video
3. How to Protect yourself from SIM Swap Fraud Express Computer News


Prashant Mali
Cyber Lawyer, Bombay High  Court
Author, Speaker & Thought Leader.
+919821763157 | cyberlawconsulting@gmail.com

Comments

  1. I want to shear a life changing story with everyone who cares to read this testimony. Blank atm cards are real and are effective all over the world. my name is Gorge Judy i live in SPAIN . I got this card from [skylink technology] a month ago. this card has really help me pay my debts and now i am free from all financial problems. I no this is hard to believe , but i never knew there was this kind of card until i got one. This card withdraw more than €6000 daily and it is very easy to use. But you have to be very careful in other not to be caught by the police because it is illegal. If you want more information on this card and how to get one just contact the hackers by this address
    skylinktechnes@yahoo.com or whatsapp +1(213)328–0248

    ReplyDelete
  2. Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also Pacific Beach Appliance Repair

    ReplyDelete
  3. This is my first time visit to your blog and I am very interested in the articles that you serve. Provide enough knowledge for me. Thank you for sharing useful and don't forget, keep sharing useful info: https://simsfpfree.com

    ReplyDelete
  4. Are you interested in the service of a hacker to get into a phone, facebook account, snapchat, Instagram, yahoo, Whatsapp, get verified on any social network account, increase your followers by any amount, bank wire and bank transfer. Contact him on= ETHICALHACKERS009@GMAIL.COM

    OR WHATSAPP +1 213 295 1376

    ReplyDelete

Post a Comment

Popular posts from this blog

Consumer Dispute resolution under the Telecom Act 2023

Types of Cyber Attacks

What to do when police does not take your FIR?