Kathy Gibson is with Kaspersky Lab in Cape Town – Mobile payment is the future of commerce. But, while it is very convenient, it is fraught with threats.
This is the word from Fabio Assolini, senior security researcher at Kaspersky Lab, who points out that there are a huge number of players in the arena that are not as well known as the market leaders.
“This convenience of mobile payment is amazing,” Assolini says.
He cites the example of M-Pesa, which has been so popular in Africa and is used by millions of users.
In Kenya, there are 18-million active M-Pesa users, with 6-billion transactions in 2016 – I fact, 41% of Kenya’s GDP goes through M-Pesa.
“This is one player in this big market – and there are many others.”
Asia is the top market for mobile payments, followed by Africa. “This is more than North America and Europe,” Assolini says. “A lot of money is going through your mobile phone. And it has become your wallet.
“This situation is extremely attractive to cybercriminals.”
For mobile payment to succeed, the carrier needs to identify the user. This is done by identifying the SIM card, which is protected by a password.
“This is a problem if your entire phone it stolen,” Assolini says. To remedy this, the user cancels that SIM card and activates his profile on another SIM.
SIM swap is where cybercriminals do this instead of the legitimate user.
The way they do this is using social engineering, fake documents, bribery, corruption, insiders, phishing, malware and (RATs).
Once the SIM swop is achieved, fraudsters bypass the one-time password (OTP) that the bank uses to safeguard transactions.
“When the criminal does a SIM swap, he can intercept everything and complete the fraud,” Assolini points out.
Once a criminal gets access to a user’s phone number, they get in touch with WhatsApp contacts and ask for money.
“But the worst situation is related to financial services,” Assolini points out. Criminals do the SIM swap then reset the victim’s password and simply help themselves to the money in the online account.
“Criminals and cybercriminals are working together and stealing a lot of money.”
The situation is exacerbated when employees from the carrier work with the criminals to achieve large-scale SIM swaps. One group in Brazil targeted 5 000 high-net worth people in a single month.
“But there are many different types of criminals: those that are tech-savvy; and those who want the money,” Assolini says. “SIM swap-as-a-service is not available in the cybercrime underworld.”
Cryptocurency entrepreneur and investor Michael Turpin in suing AT&T for permitting $23,8-million in SIM swap fraud.
In South Africa, SABRIC reported that SIM swap fraud doubled in 2019.
Assolini cites his own example of SIM swap fraud, which happened during a business trip to Moscow.
“On my second day in Moscow my phone lost all connection,” he says.
He called the carrier and was told his phone has been reported as stolen and a new SIM card activated.
“It can happen with anyone.”
The vulnerability in this instance was Truecaller, Assolini says. “This is a fantastic app, but you upload your contacts to their servers to enable them to identify numbers. And sometimes your number could be leaked.”
A solution using a REST API query that returns either true (to block the transaction) or false (to allow it), allowed Mozambique to eliminate SIM swap fraud.
It’s not always possible for users to prevent themselves from becoming a victim of SIM swap: carriers have to strengthen their authentication processes, says Assolini.
In addition, the banks need to also stop sending OTPs via SMS; a token with the app is a more secure solution. “So try to avoid services that use SMS-based OTPs.”
Web services that use voice password recovery are also insecure.
Assolini recommends two-factor authentication in all services, including WhatsApp. Users can also circumvent a problem by contacting their carrier as soon as possible if they lose signal.
A new SIM card, the e-SIM, has been launched, but it is not a solution to SIM swap fraud, he points out.