Technology has been a real godsend for fraudsters. Used to be you had to painstakingly recreate a valuable painting, or convince hopeless marks to sign up to your pyramid scheme, or physically grow a moustache to fool a bank teller into opening a fraudulent bank account for you.
These days – as journalist and food writer Jack Monroe discovered last week, when £5,000 was stolen from her bank account – scammers can simply transfer your phone number to a new SIM card and gain access to every penny in your name.
Videos by VICE
This relatively new crime is known as “SIM-jacking”, and works like this: perpetrators obtain important details about their victims either by scouring social media or conning them into divulging personal information. Using these details, they pose as their victims, convince network providers to transfer their numbers to new SIM cards and post out those SIMs. Once the swap is complete, messages containing codes for those two-factor authentication systems we now all have can be intercepted, and fraudsters can hop into your email, social media or mobile banking accounts.
SIM-jacking differs from other forms of hacking in that it doesn’t require any technical know-how; all you need is a conman’s skills of persuasion and a basic grasp of identity-theft. This is perhaps why it’s growing at such a rapid rate, with incidents jumping 60 percent between 2016 and 2018.
In September, a pair of London-based SIM-jackers were jailed after stealing £457,000 via purchases and bank transfers, while in early October scammer Emanuel Poku was jailed after an even more lucrative SIM-jacking spree, linked to over £2 million of losses.
Considering just under half of the UK’s population now use mobile banking, there’s obviously an ever-growing pool of targets for SIM-jackers to prey on – but experts say the crime also appears to have been fuelled by the increased use of cryptocurrency.
Elsa Ramon, who has reported extensively on cryptocurrency, says high-profile crypto traders are singled out because they often have apps on their phones that facilitate currency exchanges. Many traders store crypto on exchange platforms for long periods of time rather than transferring it to more secure facilities, which leaves it vulnerable to theft. Crypto is also much harder to track down than conventional currencies once it’s been stolen, as it can be stored in offline hardware known as “cold-storage wallets”. These wallets usually take the form of either USB sticks or paper wallets with QR codes that allow users to access the currency.
“If you don’t have the passwords to these cold-storage wallets, no one’s getting in – not even you, if you lose the keys to your wallet,” explains Ramon. She adds that cryptocurrencies can be converted to fiat currency or other types of cryptocurrency, further complicating the process of tracing them. All of these factors make them the perfect currencies to steal.
Somewhat surprisingly, given all that she knows about this world, Ramon has been a victim of SIM-jacking herself. In 2017, her phone suddenly went out of service when her number was transferred to another SIM. She immediately realised what had happened and alerted her network provider, foiling the hacker’s attempt to drain her account. Since then she’s been targeted again, despite telling her phone company not to swap her number to another SIM unless she goes into the store in person and shows several forms of ID.
Ramon believes she has been a victim not once, but twice, because of corruption in the States, where it’s alleged that employees of several mobile phone companies have knowingly collaborated with SIM-jackers. There have also been numerous cases of criminality by staff at mobile phone companies in the UK, including one last year in which Vodafone employees were convicted of printing out personal data and using it for identity fraud.
That said, fraudsters don’t even necessarily need to find corrupt staff – some are easy enough to just trick into swapping out SIMs. In 2018, the BBC’s Watchdog sent undercover reporters into Vodafone and O2 stores to see if they could obtain replacement SIM cards without proper ID checks. In both cases they walked away with the SIMs without having to undergo the checks.
“One of the reasons SIM-swap attacks are so effective is that many mobile phone carrier representatives are easy to socially engineer,” explained a former black hat hacker, who dabbled in SIM swaps before going straight and becoming a white hat hacker. “An attacker can call your phone provider, pretend to be you and spin some story to get the support agent to transfer your number to a SIM. If he runs into any friction, he can hang up and try again with another agent.”
Given that your network provider is unlikely to be your best form of defence against SIM-jackers, is there any way to ensure you don’t fall victim to the crime? Ramon’s advice is to remain vigilant and pay attention to your phone acting weirdly. She points out that she no longer uses an email app in case her SIM is swapped and her account is compromised. “It’s a pain,” she says. “I have to type in my password every single time I log in.”
Considering network operators often tout themselves and their products as making life more convenient for consumers, it’s unlikely they want their customers to have to roll back on the convenience they’ve become accustomed to. But until they devise some stricter security protocols to curb SIM-jacking before it becomes even more popular, they’re not giving us a lot of choice.