A reporter working as part of a popular BBC Radio 4 programme has caused a HSBC bank to issue a security warning to its customers after the reporter was able to hack in to the programme producer’s bank account and take money from it.
The widely reported hack was intended to demonstrate how mobile-based password resets can still be used with relative ease by fraudsters to commit cyber crime despite bank security measures being in place.
How Did They Do It?
A recent Computer Weekly article highlighted how the reporter found a way in to the account by contacting the ‘You and Yours’ programme Producer’s mobile phone provider and telling them they wanted to swap similar SIM cards.
The SIM swap service is a genuine service that allows customers to keep their phone number but to swap SIMs and phone providers. In this case however the SIM swap was used to take advantage of the two factor authentication of customer identities whereby banks often use the mobile phone number they have for the customer as part of that authentication. Customers wanting to reset their login are sent a code by text to the number that the bank has on file.
This allows the recipient of the text to get into the online account in order to re-set the login details. Since the SIM associated with the account had already been changed by the reporter, they were able to use the code to get in to the Producer’s account. This method also meant that the reporter was able to circumvent the usual secondary security checks such as answering questions about mother’s maiden name, pet names, first school etc.
Once in the account the reporter was able to change the PIN and actually transfer money (only £1.50 in this case) from the Producer’s account into their own account.
Warning Issued As A Result
As a result of the reporter’s actions and the impending publicity that they would cause, HSBC issued a statement to customers explaining what the “increasingly common” SIM swap is, and how it can be used by fraudsters and 3rd parties for dishonest means by giving them the ability to use your mobile phone number to receive and make calls, receive and send text messages, and use any provisioned data allowance.
What Does This Mean For Businesses?
As well as making you want to examine areas where this type of fraud could possibly be conducted against your business, and making yourself aware of the possible signs of SIM card fraud e.g. suddenly not being able to make or receive calls or texts on a business phone, it may also make you feel as though you could have cause for concern about the security of your business bank account.
Some banks and credit card companies however such as HSBC and Mastercard have already started, or are about to start using Biometrics for authentication / verification. This will take the form of fingerprints and even ‘selfies’ taken using special phone apps, and these methods are thought to be a much better safeguard than passwords, or as in this case, checks based on details that can be swapped at the other end.