Last month a retired IB officer in Calcutta lost lakhs of rupees from his account. When he contacted his bank, they said that his phone number had been changed at the bank and the phone alerts when money was being withdrawn was going to the new number. In another incident, a textile merchant in Mumbai lost over a crore of rupees from his bank. Investigations revealed that the fraudsters had cloned the businessman’s SIM card.
Needless to say, this kind of fraud is only possible due to the callousness of the people working in the service providers’ company or even the bank. A friend who is working abroad had a postpaid SIM card that was linked to all her accounts, banking as well as social. She would pay her bills regularly. When she came back after 10 months, her SIM did not work. She went to the provider’s office and find that her SIM had been converted to a prepaid SIM and sold to someone else. The mobile phone company’s officials were unable to provide her with a legitimate reason for doing so.
Instead, they hurriedly converted another prepaid SIM that she had with her to postpaid. This particular number should have been deactivated because she did not pay her bills. Remarkably, it was still active after 10 months of inactivity and non-payment. This could have been a prelude to a scam or simply carelessness on the part of the service provider’s workers. The important lesson is to be vigilant all the time and make sure that service providers and banks send their statements through email and SMSes rather than just one of them.
A SIM fraud is known as SIM swap. In the first step, fraudsters collect all the information about the victim. They may do so by sending phishing emails. Phishing emails impersonate legitimate websites such as banking sites and fool the victim into giving up their personal information like full name, date of birth, address, phone numbers and even security questions. They may even scavenge for information on social media or other websites where the victim may have provided such information.
Next, they create a duplicate identity of the victim. They will then call the victim’s mobile phone service provider and say that their SIM card has been lost or damaged and get the SIM in the possession of the victim cancelled. They will get the new SIM card activated because they are armed with all the personal information of the victim including his security questions.
Finally, they will target the victim’s bank accounts. Using the information they have gleaned from the messages sent by banks to the registered phone number, they can get into the victim’s bank account by resetting the password for which the code will be sent to the phone number in their possession. For transferring the funds, too, the OTP will be sent to the same SIM so it is smooth sailing for them.
The fraudsters create a second bank account with the victim’s cloned identity in the same bank so that the computers are fooled into thinking that the money is being transferred from one account to the other of the same person.
In this kind of fraud, the victims are identified and targeted. They are usually people with a lot of money, which they transact through Internet banking. They may be people who, instead of using the legitimate or official sites, use third-party sites or apps to transact their business. You can check how many apps show up on Google Play by searching for SBI. Not all are legitimate.
Banks are now wiser. Very soon TTP (two-time password) will replace the OTP (one-time password), which has become the target of hacking attacks. TTP will be a strong safeguard for any kind of mobile or Internet transaction. In TTP, the password key will be sent twice. In the first instance, the customer will be provided with details of the transaction such as the name of the beneficiary, address, amount and other details. The customer will have to SMS a simple “yes” or “no” and only then will the unique number be generated to authenticate the transfer.
