SIM-jacked!
Cops, cybersecurity experts on high alert as $100m stolen in number-swapping scheme
A fraudulent ‘SIM-swap’ scheme, which allows cybercriminals to “hijack” cellular phones and gain access to sensitive personal information, has been used to swipe nearly $100 million from more than two dozen bank accounts over the last 18 months,...
A fraudulent ‘SIM-swap’ scheme, which allows cybercriminals to “hijack” cellular phones and gain access to sensitive personal information, has been used to swipe nearly $100 million from more than two dozen bank accounts over the last 18 months, The Sunday Gleaner has confirmed.
SIM-swapping or SIM-jacking schemes involve the use of a replacement SIM card obtained through fraud and deception from a telecommunications provider to take over the cell phone number of the legitimate owner.
Once the set-up is completed, the newly activated SIM card allows cybercriminals to gain access to bank accounts that are linked to the victim’s phone by resetting the password via text messaging, law enforcement and cybersecurity experts explained.
A subscriber identity module – or SIM – is a tiny card, with an embedded chip, that is inserted into a smartphone, allowing it to make calls and function like a computer.
Two “significant” SIM-swap cases, involving a total of J$61 million and US$133,000, have been investigated by the Financial Investigations Division (FID) since January last year, the agency confirmed.
The cases involve 27 customers of two commercial banks. The names of the banks were not publicly disclosed.
But amid a push by local financial institutions to get more of their customers to pivot to Internet-based transactions, cybersecurity experts fear that the cases uncovered by the FID could signal the emergence of a “very scary” crime.
SIM-swap schemes emerged on the global landscape nearly five years ago, but were first detected in Jamaica shortly before the outbreak of the coronavirus pandemic in 2020, according to law enforcement officials.
EASY ACCESS
Cybersecurity consultant Trevor Forrest is warning that by using the same email address to configure cell phones and create online banking profiles, citizens are making life easier for cybercriminals.
“When you link all of these things out of convenience, it provides a gateway into simplifying fraudulent activities,” said Forrest, the CEO of 876 Technology Solutions Limited. “It’s a scary thing to hear, but it is not a difficult thing to address.”
In the meantime, Keith Darien, principal director of the FID, does not believe that SIM-swapping or SIM-jacking schemes pose a significant threat to the Jamaican financial sector, mainly because of the security measures that have been put in place by the banking industry.
And he gave the assurance that the FID – the agency mandated by law to combat money laundering and other financial crimes – will develop appropriate strategies aimed at detecting and crushing these schemes.
“We assure the public that we will do everything within our powers and capacity to ensure that the financial sector is stable and that persons’ savings are protected,” Darien told The Sunday Gleaner last Thursday.
Eight people, including one of the suspected masterminds, are facing criminal charges for various breaches of the Proceeds of Crime Act, the Cybercrimes Act and the Larceny Act for their alleged roles in the two SIM-swap schemes uncovered by the FID.
Several suspects remain on the run, the agency said.
The stolen cash in both cases was either deposited to other bank accounts or used to purchase a number of motor vehicles, including some that are still at the port waiting to be cleared, according to investigators.
“The assets of the suspected mastermind, inclusive of motor vehicles and bank accounts, have been restrained by the FID,” the agency said in an emailed response to Sunday Gleaner queries.
A restraint order is sometimes granted by a judge to prevent the disposal of assets believed to have been derived from criminal activities.
The FID did not disclose details about the two SIM-swap schemes it uncovered, citing the ongoing investigations.
But according to Forrest, the schemes are similar to the lottery scam.
“So, the idea is if I get access to specific [personal] information, I can generate a request [to a telecommunications company] for a SIM to be created and given to me,” he said, explaining how cybercriminals are able to take over the phone number of other customers.
SIM-swap schemes are “usually” aided by collusion – knowingly or unknowingly – between cybercriminals and employees in the telecommunications and business process outsourcing (BPO) industries.
“Unknowingly, because some workers don’t always do proper due diligence when processing requests for replacement SIM cards,” said one financial investigator.
GAPS IN PROCESS
Telecommunications firm FLOW said it has found no evidence of employees colluding with persons involved in fraudulent SIM-swap schemes.
FLOW acknowledged, however, that in “recent years”, it has taken disciplinary action, including dismissal, against employees whose actions contravened company policies regarding SIM card transactions.
In one case involving an employee of a dealer store, a recommendation was made for appropriate disciplinary action, the company told The Sunday Gleaner.
“To the extent that criminal liability was determined on the part of the individual/s implicated, we have cooperated fully with the relevant law enforcement authorities,” FLOW said.
Up to late yesterday, there was no response to questions submitted to Digicel, the island’s other main telecoms provider.
Forrest acknowledged that the SIM-replacement process implemented by local telecommunications firms are more stringent when compared with their counterparts overseas, but pointed to gaps that can be exploited.
As an example, he explained that employees in the telecommunications and BPO sectors, acting in “cahoots”, could assist cyber-thieves to submit a request, get a SIM card for someone else’s phone, and take over that number.
FLOW said it is clear that there are individuals who have “some information with regard to banking details and the associated mobile number which leads them to pursue a fraudulent SIM-swap”.
However, Director of Communications Kayon Mitchell said FLOW has implemented “robust policies and processes” to protect customers, including mandatory photo/visual identification verification for SIM card replacement.
The processes also include a system check and verification of customer data and a test call to the number for which the replacement card is requested.
Additionally, Mitchell said customers must provide their name, address, a picture ID and their taxpayer registration number when purchasing FLOW products. This information is uploaded to the company’s database and used to support the verification process in the event of a SIM card replacement request.
Less than two per cent of FLOW’s mobile customer base request a replacement SIM card and 97 per cent of that number are able to successfully replace their SIM with no further verification checks required, Mitchell said.
Most of the remaining three per cent successfully clear the secondary verification process with no issues.
“Fraudulent SIM replacement is a targeted activity and so we are concerned about this matter and increasingly vigilant in curtailing same,” Mitchell told The Sunday Gleaner.
“In an effort to fight fraud nationally, we have partnerships with various institutions and entities and collaborate where possible. We also continually review and update our processes to manage the threats.”
There are several red flags that signal whether a mobile phone has been hijacked, Forrest shared.
Among them, he said, is getting an email indicating that the password has been changed and when a mobile phone suddenly stops working.
“That’s because technically, the SIM in the phone has been deactivated,” he noted.
SIGNS THAT YOUR PHONE/ACCOUNTS HAVE BEEN HIJACKED
• Your phone suddenly stops working. That’s because once the fraudulently obtained SIM is activated, the SIM card in your phone stops working.
• Getting odd requests via email for things like password change, etc. “That’s because someone is trying to access your personal information,” says cybersecurity consultant, Trevor Forrest.
• If you are unable to log into your accounts, including social media, email, and bank accounts. This is because one of the first things cybercriminals do is to change your account credentials.
THINGS TO DO TO AVOID BEING ‘SIM-JACKED’
• Use separate email accounts for your cell phone and bank account. If your phone is SIM-jacked and the criminals request a password change for your bank account, the request does not go to the email account linked to the phone, noted cybersecurity consultant, Trevor Forrest.
• Always be careful about what websites you visit and the kind of information you input.
• Never respond to emails asking for information and your bank details if you do not know where it comes from. Doing so will allow cybercriminals to get information such as user names and passwords.
• Be aware of the source of any applications you download.