Knowledge Base

Unauthorized SIM Swap

Started by: k89bpa
On: 03/01/2019 | 11:46
Replies: 15

by: various_mm
on: 03/01/2019 | 20:42
by: k89bpa
on: 03/01/2019 | 12:52
Perhaps it's time for two factor authentication on accounts, or at least on SIM swaps?


yes, that would be welcome to add another layer of assurance
If my answer resolved your query then please mark it as a ' solution '. Thank you!
Message 11 of 16
by: woodyuk
on: 04/01/2019 | 09:51 edited: 04/01/2019 | 09:52

Another thought that crossed my mind for the extra layer of protection was perhaps security questions could be used?


If part of the account opening process was to provide answers to a few security questions and these questions didn't include ones that could be guessed from information in a members account profile,then when a member starts a sim swap they could be asked to answer one of their security questions before the swap will complete.

Message 12 of 16
by: harrybeau
on: 04/01/2019 | 10:50

Something needs to be done and an extra layer seems the obvious answer to this.

Message 13 of 16
by: k89bpa
on: 04/01/2019 | 11:36
Not sure about that one @woodyuk

As part of the security questions to recover access to an old account, I had was asked to provide information that nobody would ordinarily be able to provide, including the last four digits of a card last used five years prior.

I got lucky, very lucky, eventually I was able to track down that card number, (thanks to Google), and other snippets.

I suggested, in fact, pretty much demanded that they put in place easier procedures for account recovery and other associated things, (because current practice is blatantly not fit for purpose, especially for people with memory impairment for whatever reason), and was totally ignored.

I lose account access all the time because of memory issues, they're real and so severe that I don't even remember my names and places I've lived - a few years back in the middle of a conversation someone said, "when you lived in COUNTRY". and I had no memory of visiting the mentioned country let alone living there, but they were able go prove that I did.

Of all the accounts I've had to recover because I can't remember usernames, passwords and email addresses, giffgaff are the only company who made it in any way difficult.

If we introduce something like that this company will leave people with memory issues high and dry. Literally. They will offer zero assistance at all.

I eventually got lucky and eventually was able go regain access to the account because Google remembered and told me things I had zero hope of ever being able to remember...

I think the email conformation link is enough.

Perhaps this latest suggestion could be optional for people who want it but it can't be mandatory because of how it will indirectly discriminate against people with memory issues.
Huawei P20 Pro | 9.0.0 | Data Plan: 180GB
My Public GDrive Folder
Message 14 of 16
by: woodyuk
on: 08/01/2019 | 15:17

After a bit more thought about this,the problem I see with our confirmation email plan is that in order to start the sim swap process the scammer has to be logged into the victim's account and so I wouldn't be surprised if their first action is to change the member's email address on their account to one that the scammer has control of for a variety of reasons so it would be them that'd receive the confirmation email and not the victim of the scam.


I must admit I'd overlooked the problems that a security question could pose to members with memory probems but what about if the member could compose the question as well as the answer rather than having to choose a set question like "what was your first pet's name?"from a list?


In this way the member could set a question and answer which is totaly unique to them so hopefuly unguessable by the scammer but at the same time a Q&A that they felt confident that they would remember.


I'm sure this would be technicaly possible on giffgaff's part and this problem is getting more urgent to resolve just about by the day,here's 3 cases I noticed in a day between Christmas and New Year and reports at Twitter confirm that the phishing texts are still being sent allowing the scammers to harvest more members details to perform these rogue sim swaps with:-



Message 15 of 16
by: k89bpa
on: 08/01/2019 | 16:24 edited: 08/01/2019 | 16:39

The composing of questions really doesn't help @woodyuk.

A quick look at my Vodafone account, (handy that it's today that I chose to update all my passwords and email addresses everywhere), and it shows me I've a hidden "secret word", and a visible hint.

The hint has not helped to remind me of the secret word, (which I'd forgot setting let alone the content). I can guess, and the guess may even be correct, but if I ever need to use it or change it it's much more likely that I'll have to call them.

It is the lack of this ability to call and verify by other means which presents the biggest obstacle for people like myself with severe memory issues.

That's one of the reasons I love them so much, (and Lloyds and Nationwide and others), because they're all willing to work with me and identify me via other means that I can remember, like my national insurance number, my NHS number, my partner's date of birth and name, things like that.


This could be possible with giffgaff but you've problems with remembering the format. For instance if one of the security questions was "What position did you play in soccer" and the answer is center back, you can write that in a number of different ways and you've gotta remember which one you used or you're locked out.


When you can call, the format the answer is written in doesn't matter, you'd be able to say "center back" and pass even if you wrote CB or CD on the form, because the human can apply common sense, you can probably even pass if you say "central defender" in such a situation because of course they're all the same thing. 


Forms can't make distinctions like that. 


I've been locked out on capitalization errors before and not being able to remember how much of someones name I used and how I capitalized it. 

But yeah you're right about the email address change, which is why that should also be two factor authenticated, (to the old address), and email addresses should be verified anyway which they currently aren't.

Huawei P20 Pro | 9.0.0 | Data Plan: 180GB
My Public GDrive Folder
Message 16 of 16