Last updated: 19 April 2016
Security is only as strong as the weakest link in the chain – especially in eBanking, where there the chain has many, many links.
For one bank in the UK, it seems that one link was not strong enough. When you bank online, banks cannot know, in the traditional brick-and-mortar way, that you are who you claim to be. So instead they look for something you have, plus something you know. The “something you have” is your mobile phone; the “something you know” are your PIN and password. It’s the perfect two-factor authentication scheme.
However, as a BBC reporter found, it’s not that perfect after all. The weakness lies in a new service mobile operators are offering their customers: SIM swap, which allows users to get a new SIM card and keep their old mobile phone number.
The problem is, anyone can do this – even those who are not the legitimate owners of the mobile phone number.
Let’s imagine that Anne, an honest customer of mobile operator X, has 12345678 as her mobile phone number. Meanwhile Barbara, who is a fraudster, buys a new SIM and tells mobile operator Y that she’d like to keep phone number 12345678. The operator could phone that number to check if it is indeed Barbara’s – but doesn’t. So Barbara gets Anne’s phone number, and Anne loses access to her phone, which is now dead.
That’s bad enough already, but it gets worse – because Anne also does her banking through her mobile phone. She has a secret PIN and a password that Barbara doesn’t know. But Anne’s bank knows her mobile phone number, and will willingly send her new security details by text message. So after blocking Anne from her own mobile phone, Barbara can now fool the bank into believing that Anne has forgotten her PIN and passwords, change them, and lock Anne out of her account!
So, how can banks avoid this scenario?
First, mobile operators should check the identity of anyone asking for a SIM swap. Unfortunately, besides lobbying for new legislation, there’s not much banks can do to force MNOs into doing this.
A better solution would be to protect the mobile phone itself, making it less vulnerable to this type of attack. There are two ways banks can do this:
- Eliminate the need for communication between the bank and the client when creating new security codes. This would be possible if a piece of software on the mobile phone – delivered when the bank enrolls the new customer – could create the security codes. Barbara – who can access communications to Anne’s phone number, but not information or applications stored on her phone – would not get access to this software, so would not be able to change Anne’s security codes.
- Secure the communication channel between banks and mobile phones. Even if the bank chooses the above option, this second step is still necessary for other instances when the bank and the client will have to communicate – for example, during authentication. To establish this channel, the mobile and the server need to use robustly secure proprietary identifiers. Mobile networks using publicly available phone numbers are easy to hack. But if communication went through a secure channel, Barbara would not receive it. Only Anne would – and, if she hadn’t noticed anything fishy yet, she would once she received a new security code.
These solutions already exist in our Ezio Mobile suite: Ezio Mobile Protector allows the security codes to be created on the mobile phone itself, while Ezio Mobile Secure Messenger enables banks to secure the communication channel between the phone and the server.
So SIM swap fraud can be avoided – but only if banks strengthen that weak link in the security chain. What’s your view on preventing SIM swap fraud? Let us know by tweeting to @Gemalto, or by posting a comment below.