There are lots of stories around about various financial scams these days – you can find a new one pretty much every day. But some stand out and gain greater traction so they end up being noticed by millions.
One of these was the recent story of Charlotte Morgan, a young Londoner, who in late August went, as she often did, to work out at her local gym in Chiswick, west London.
She was in celebratory mood as she arrived as she’d just landed a new job. But that joy soon turned to despair as she finished her training session and went to leave: her locker door was ajar and her rucksack was gone.
She soon found out that this had happened to other gym users too: it was an organised theft.
As well as other possessions, Charlotte had lost her phone, her bank card and her door keys. But being locked out of her flat and being unable to release her bike where it was chained to railings outside, it soon became clear, were the least of her worries.
Within hours the thieves had gone on spending sprees around London, spending £3,000 in one Apple store alone, thousands more at other shops.
Once she realised that she had been targeted in this way – not easy when you suddenly have no phone to communicate with, no card to pay for travel or goods with and can’t get into your own home to access other computer equipment – Charlotte was initially partially reassured that all the thieves would be able to take was what had been in her current account.
But the reality was to prove far worse. It soon emerged that the thieves had somehow been able to bypass all the security settings on her phone – and had raided not just her current account but her savings. And within just a few hours they had taken the lot. Thousands of pounds that she had worked hard to accumulate over years had been stolen. .
She was understandably shocked and devastated – but also mystified.
Because it had never occurred to her that just by stealing her handset thieves would be able to attack her so grievously, believing she was further protected by PIN numbers to activate the apps on her phone.
It wasn’t until later that she found out how they had done it.
Charlotte explained: “ A bank security expert explained to me how the scam is likely to have happened. Once the thief had my debit card, they didn’t need my smartphone — just the Sim card, which can be popped out of the side and inserted into another phone.
“This bypasses thumbprint security and facial recognition. It’s the digital equivalent of an open window in a house.
“Once into my account, the thief could reset the PIN online, and then change all my banking security passwords. It’s shockingly easy. I think the thief was able to do it in the taxi from the gym to the first Apple store.”
This is almost certainly what did happen and, if asked, I would have offered much the same explanation.
Swapping Sims between handsets is very, very easy to do – with devastating consequences.
We at TMT can spot a Sim Swap – as this scam is known – because the unusual transaction patterns that inevitably follow it are a tell. When someone like Ms Morgan has been a prudent saver for a long period we can see that previous history – we don’t expect to see them raiding their savings account at night for thousands of pounds in repeat amounts – and so that becomes an instant red flag.
Of course Sim Swap can and does take place constantly for legitimate reasons. Just last week I got a new iPhone myself. I did my back up, changed my Sim over to the new handset and it immediately replicated my old homepage and contacts. The ease with which this happens is one of the major reasons people stick with the same phone brand, Apple or an Android rival, from one contract to the next.
Our security protocols would have been able to tell the difference between what happened to Charlotte and my innocent Sim switch because of the different behaviours around them, one innocent, one nefarious.
However we can only monitor devices in this way if asked by an authorising client company when they in turn have users’ consent. In this case Charlotte’s bank doesn’t appear to have been using such backup security from an independent company like ourselves. And that’s not unusual as this mostly happens only at the point a customer signs up to a new service – the point of onboarding as we call it.
I’m starting to wonder if it might be time for companies like Charlotte’s bank to run such services much more frequently. After all, each check only costs a few pence and the amount they ended up having to reimburse her by alone would have paid for hundreds of thousands of such preventative measures.
But it’s not just cost that’s preventing these checks being used more widely, there’s also the question of privacy. While customers are used to being asked to authorise checks at the point of sign up, to having their credit history investigated and so on, they are understandably much more hesitant about agreeing to have their data checked on a more routine, ongoing basis.
So it may be some time yet before there are systems in place permanently to stop thieves targeting the next Charlotte Morgan in the same way.
In the meantime perhaps the best thing you can do is to protect yourself. You can do this by setting a new PIN number to your SIM card itself. This would stop the thieves being able to do a ‘Sim Swap’ without knowing that PIN.
It’s a simple matter, on an iPhone, of going int Settings and tapping “Phone”. Next, tap “SIM PIN” to access this feature. Tap “SIM PIN” to activate it. Your SIM will come with a default PIN set by your mobile carrier which can then replace.
I hope this helps in the short term. In the longer term it would be nice to think that the business world could do more.
If you would like to find out more about the fraud protection services offered by TMT Analysis drop us a line at firstname.lastname@example.org