Banking giant NatWest has claimed it is taking steps to improve security after a BBC report highlighted that ‘SIM swap fraud’ could allow enterprising scammers to access customer bank accounts and withdraw funds.
SIM swap fraud occurs when a criminal calls up the network operator pretending to be the victim, claiming their mobile has been lost or stolen. If they sound convincing enough then the call center operative will agree to put the victim’s phone number onto the criminal’s SIM, so that they start receiving all calls to that number.
Another way to effect the scam is to simply gain possession of the phone. This is what journalists at Radio 4’s You and Yours program did when they carried out the scam with a producer’s device.
The next stage is to call the victim’s bank, claiming to have forgotten banking customer number, PIN and any other log-in credential.
Again, if the social engineering is good enough the banking staff will agree to text out a one-time passcode to the victim’s phone to authenticate them and allow them to change log-in details – effectively giving the criminal full access to the account.
In response, a NatWest community manager took to the bank’s user forum to reassure customers it was taking steps to make it harder for scammers.
“We're implementing a number of new measures to further protect customers, including communicating with them using all of their registered methods of contacts with us, such as via email and text, to alert them any time a change is made to their contact details on online banking, in a similar way to Apple and Google. We are also introducing a 'cooling off period' of three days, which prevents payments being made via the mobile app when a re-activation has taken place.”
She argued that NatWest’s Online Banking system requires a Customer Number, partial PIN and partial password to log in, although of course a canny criminal could persuade bank staff to over-ride this with a one-time passcode.
“In addition to use of PIN and password, when making a payment to a new beneficiary, a customer needs to use their card, the card PIN and a card reader,” she added.
“SIM swap fraud is an emerging issue across the industry and we're working closely with Financial Fraud Action UK and mobile phone providers to combat the issue and reduce instances of SIM Swap fraud. We’re also working on implementation of a number of controls that will help detect SIM swap fraud before the activation code is sent via text message.”
Mark James, Eset security specialist, argued that while users can’t control how secure their banking provider’s processes are, they can make it harder for criminals to access the contents of their device.
“Ensuring you have some kind of lock protection and preferably if a PIN code is used then longer than four digits will help to keep your phone safe. Also consider whether you actually need mobile banking, are you going to use it? Do you need to use it?” he added.
“Also, if possible speak to your bank and ask them how they verify you are who you say you are. You may be able to put some of your own protection in place like using your own code words whenever certain tasks are requested like password or mobile number changes.”