Unauthorized SIM Swap

mightymario

@k89bpa wrote:

Been reading on Twitter that a few people have experienced an unauthorized SIM swap which has caused them all kinds of problems.

How does this happen?

People have been posting screenshots of agent responses reassuring customers that the accounts here are secure and haven't been compromised, so how exactly do these SIM swaps occur?

Also, what protections are in place to stop it from happening?

I didn't even know this was a thing until today.

It could be due to scams like

https://community.giffgaff.com/t5/contribute/free-10-giffgaff-credit-offer-by-sms-scam-confirmed/td-p/22675855

https://community.giffgaff.com/t5/help-support/is-this-a-scam/m-p/22854289

https://community.giffgaff.com/t5/announcements/security-update-phishing-smishing-and-sim-swaps/m-p/22708021#m122641

k89bpa

Perhaps it's time for two factor authentication on accounts, or at least on SIM swaps?

tradertall

has to be phishing

woodyuk

Some kind of extra security layer is definitely needed to prevent these rogue sim swaps,if giffgaff were to go the 2FA route though,it would probably have to be done via email with a clickable link to confirm you asked for the sim swap because if it's a genuine swap because a member's sim has failed then a text confirmation would be a non starter.

At the end of November in a post I'll link to below re the phishing texts that were doing the rounds giffgaff told us this:-

"To better protect against SIM swaps that our members are unaware of, we’ve built upon the confirmation email we already send to advise that the SIM swap is in progress - you’ll now receive a SIM swap confirmation text message to your phone where you have the possibility to immediately raise a case with the agents if you were not the one that requested the SIM swap."

But given that the average sim swap takes just a few minutes to complete whereas for an agent to read a member's report and respond to it can take up to 24 hours,is it just me that sees a bit of a flaw in this new feature?

So some kind of 2FA would be a huge improvement because all that members have in the way of protection at the moment is just about sweet FA.

https://community.giffgaff.com/t5/Announcements/Security-Update-Phishing-smishing-and-SIM-swaps/td-p/22708021

k89bpa

Yeah, was thinking an email confirmation link too @woodyuk for much the same reason, or a 2FA app but given the technical level here...

Perhaps user choice?

woodyuk

Email seems like the simplest solution to me and one that could be implemented quickly because you need a method that a genuine member can access if their sim has stopped working so they have a dead phone.

If when you started a sim swap you got a message saying a confirmation link has been sent via email and the swap doesn't go ahead until that link is clicked that would stop all of the rogue sim swaps we're seeing unless the scammer also has access to the member's email account.

k89bpa

Agreed

various_mm

by: k89bpa

on: 03/01/2019 | 12:52

Perhaps it's time for two factor authentication on accounts, or at least on SIM swaps?

-------------

@k89bpa

yes, that would be welcome to add another layer of assurance

woodyuk

Another thought that crossed my mind for the extra layer of protection was perhaps security questions could be used?

If part of the account opening process was to provide answers to a few security questions and these questions didn't include ones that could be guessed from information in a members account profile,then when a member starts a sim swap they could be asked to answer one of their security questions before the swap will complete.

harrybeau

Something needs to be done and an extra layer seems the obvious answer to this.

k89bpa

Not sure about that one @woodyuk

As part of the security questions to recover access to an old account, I had was asked to provide information that nobody would ordinarily be able to provide, including the last four digits of a card last used five years prior.

I got lucky, very lucky, eventually I was able to track down that card number, (thanks to Google), and other snippets.

I suggested, in fact, pretty much demanded that they put in place easier procedures for account recovery and other associated things, (because current practice is blatantly not fit for purpose, especially for people with memory impairment for whatever reason), and was totally ignored.

I lose account access all the time because of memory issues, they're real and so severe that I don't even remember my names and places I've lived - a few years back in the middle of a conversation someone said, "when you lived in COUNTRY". and I had no memory of visiting the mentioned country let alone living there, but they were able go prove that I did.

Of all the accounts I've had to recover because I can't remember usernames, passwords and email addresses, giffgaff are the only company who made it in any way difficult.

If we introduce something like that this company will leave people with memory issues high and dry. Literally. They will offer zero assistance at all.

I eventually got lucky and eventually was able go regain access to the account because Google remembered and told me things I had zero hope of ever being able to remember...

I think the email conformation link is enough.

Perhaps this latest suggestion could be optional for people who want it but it can't be mandatory because of how it will indirectly discriminate against people with memory issues.

woodyuk

After a bit more thought about this,the problem I see with our confirmation email plan is that in order to start the sim swap process the scammer has to be logged into the victim's account and so I wouldn't be surprised if their first action is to change the member's email address on their account to one that the scammer has control of for a variety of reasons so it would be them that'd receive the confirmation email and not the victim of the scam.

I must admit I'd overlooked the problems that a security question could pose to members with memory probems but what about if the member could compose the question as well as the answer rather than having to choose a set question like "what was your first pet's name?"from a list?

In this way the member could set a question and answer which is totaly unique to them so hopefuly unguessable by the scammer but at the same time a Q&A that they felt confident that they would remember.

I'm sure this would be technicaly possible on giffgaff's part and this problem is getting more urgent to resolve just about by the day,here's 3 cases I noticed in a day between Christmas and New Year and reports at Twitter confirm that the phishing texts are still being sent allowing the scammers to harvest more members details to perform these rogue sim swaps with:-

https://community.giffgaff.com/t5/Help-Support/No-servise-due-to-wrong-number-transfer/td-p/22839304

https://community.giffgaff.com/t5/Help-Support/My-number-was-transferred-overnight-without-consent/td-p/22839234

https://community.giffgaff.com/t5/Help-Support/phone-number-theft/td-p/22840327

k89bpa

The composing of questions really doesn't help @woodyuk.

A quick look at my Vodafone account, (handy that it's today that I chose to update all my passwords and email addresses everywhere), and it shows me I've a hidden "secret word", and a visible hint.

The hint has not helped to remind me of the secret word, (which I'd forgot setting let alone the content). I can guess, and the guess may even be correct, but if I ever need to use it or change it it's much more likely that I'll have to call them.

It is the lack of this ability to call and verify by other means which presents the biggest obstacle for people like myself with severe memory issues.

That's one of the reasons I love them so much, (and Lloyds and Nationwide and others), because they're all willing to work with me and identify me via other means that I can remember, like my national insurance number, my NHS number, my partner's date of birth and name, things like that.

This could be possible with giffgaff but you've problems with remembering the format. For instance if one of the security questions was "What position did you play in soccer" and the answer is center back, you can write that in a number of different ways and you've gotta remember which one you used or you're locked out.

When you can call, the format the answer is written in doesn't matter, you'd be able to say "center back" and pass even if you wrote CB or CD on the form, because the human can apply common sense, you can probably even pass if you say "central defender" in such a situation because of course they're all the same thing.

Forms can't make distinctions like that.

I've been locked out on capitalization errors before and not being able to remember how much of someones name I used and how I capitalized it.

But yeah you're right about the email address change, which is why that should also be two factor authenticated, (to the old address), and email addresses should be verified anyway which they currently aren't.