Archive for Internet Security

Fake News Fact Checkers Working With Facebook

London-based, registered charity ‘Full Fact’ will now be working for Facebook, reviewing stories, images and videos, in an attempt to tackle misinformation that could “damage people’s health or safety or undermine democratic processes”.

Why?

The UK Brexit referendum, the 2017 UK general election, and the U.S. presidential election were both found to have suffered interference in the form of so-called ‘fake news’ / misinformation spread via Facebook which appears to have affected the outcomes by influencing voters.

For example, back in 2018, it was revealed that London-based data analytics company, Cambridge Analytica, which was once headed by Trump’s key adviser Steve Bannon, had illegally harvested 50 million Facebook profiles in early 2014 in order to build a software program that was used to predict and generate personalised political adverts to influence choices at the ballot box in the last U.S. election. Russia was also implicated in trying to influence voters via Facebook.

Chief executive of Facebook, Mark Zuckerberg, was made to appear before the U.S. Congress in April to talk about how Facebook is tackling false reports, and even recently a video that was shared via Facebook (which had 4 million views before being taken down) falsely suggested that smart meters emit radiation levels that are harmful to health. The information in the video was believed by many even though it was false.

Scoring System

Back in August 2018, it was revealed that for 2 years Facebook had been trying to manage some misinformation issues by using a system (operated by its own ‘misinformation team’) that allocated a trustworthiness score to some members.  Facebook is reported to be already working with fact-checkers in more than 20 countries. Facebook is also reported to have had a working relationship with Full Fact since 2016.

Full Fact’s System

This new system from third-party Full Fact will now focus on Facebook in the UK.  When users flag up to Facebook what they suspect may be false content, the Full Fact team will identify and review public pictures, videos or stories and use a rating system that will categorise them as true, false or a mixture of accurate and inaccurate content.  Users will then be told if the story they’ve shared, or are about to share, has been checked by Full Fact, and they’ll be given the option to read more about the claim’s source, but will not be stopped from sharing anything.

Also, the false rating system should mean that false content will appear lower in news feeds, so it reaches fewer people. Satire from a page or domain that is a known satire publication will not be penalised.

Like other Facebook third-party fact-checkers, Full Fact will be able to act against pages and domains that repeatedly share false-rated content e.g. by reducing by their distribution and by reducing their ability to monetise and advertise.  Also, Full Fact should be able to stop repeat offenders from registering as a news page on Facebook.

Assurances

Full Fact has published assurances that among other things, they won’t be given access to Facebook users’ private data for any reason, Facebook will have no control over what they choose to check, and they will operate in a way that is independent, impartial and open.

Political Ad Transparency – New Rules

In October last year, Facebook also announced that a new rule for the UK now means that anyone who wishes a place an advert relating to a live political issue or promoting a UK political candidate, referencing political figures, political parties, elections, legislation before Parliament and past referenda that are the subject of national debate, will need to prove their identity, and prove that they are based in the UK. The adverts they post will also have to carry a “Paid for by” disclaimer to enable Facebook users to see who they are engaging with when viewing the ad.

What Does This Mean For Your Business?

As users of social networks, we don’t want to see false news, and false news that influences the outcome of important issues (e.g. elections and referendums) have a knock-on effect to the economic and trade environment which, in turn, affects businesses.

Facebook appears to have lost a lot of trust over the Cambridge Analytica (SCL Elections) scandal, findings that Facebook was used to distribute posts of Russian origin to influence opinion in the U.S. election, and that the platform was also used by parties wishing to influence the outcome of the UK Referendum. Facebook, therefore, must show that it is taking the kind of action that doesn’t stifle free speech but does go some way to tackling the spread of misinformation via its platform.

There remains, however, some criticism in this case that Facebook may still be acting too slowly and not decisively enough, given the speed by which some false content can amass millions of views.

Reddit Locks Out Users Over Security Concerns

Online community Reddit shut some users out of their accounts and forced password resets due to “unusual activity” which may have been a ‘credential stuffing’ attempt by hackers.

Reddit

California-based Reddit, founded in 2005, is a kind social network / online community.  Reddit, which is the fifth most popular site in the United States (Alexa figures), is split into over a million communities called “subreddits,” each one covering a different topic.  Reddit allows registered members to submit content to the site, and that content is voted up and down by other members.

What Happened With The Lockdown?

According to Reddit’s own reports, a large group of accounts had to be locked down due to a security concern which took the form of account activity that resembled someone using very simple passwords or the reuse of credentials across multiple websites or services – in other words, a credential-stuffing attempt.

Reddit’s admin known as “u/Sporkicide” reported that it appeared likely that a list of usernames and passwords, possibly taken from another compromised site, were being tried against other popular sites, including Reddit, to see if they work e.g. if a user had used the same username and password for multiple websites.

Reddit advised customers, those with locked accounts would be allowed to reset their passwords and thereby unlock and restore their accounts. Reddit said that the notification to do so would be a notification to the account (affected customers could still log in to get it) and/or an email to any support ticket raised by affected users.

Not The First Time

Back in August 2018 Reddit reported that between a June 14th and June 18, an attacker compromised some employee accounts through their cloud and source code hosting providers and was able to access some user data, including email addresses and a complete 2007 database backup containing old passwords and early Reddit user data from the site’s launch in 2005 through May 2007.

Advice

As well as announcing that it was conducting a “painstaking investigation” of the incident, Reddit advised users to make sure that they choose strong passwords that are unique to Reddit, update their email addresses to enable automated password resets, and add two-factor authentication their accounts to make them more secure.

What Does This Mean For Your Business?

This story highlights the importance of not using the same username and password across many websites.  The danger is that, if hackers can steal login credentials in a hack on one website, they or other attackers who have purchased / acquired the stolen data may well try to use that login data on many other popular websites to try and gain access.

Also, where other security measures such as two-factor authentication are available, it is worth using it as an extra obstacle to the kind of simple, opportunistic credential-stuffing attempts that are all-too-frequent.

Businesses / organisations should always encourage users to use login details that are unique to their website, give visual guidance on password strength on set-up, and specify a certain number of required characters for passwords e.g. including a capital letter, numbers, other special characters, and making the password a certain length.  As well as being a bit more secure, this can also help to stop people from using exactly the same password between multiple sites.

Windows 7 Activation Errors A Coincidence Says Microsoft

Just after the January update on 8th January, Windows 7 users began to experience activation errors, but Microsoft put the issues down to coincidence, despite admitting that it had reverted changes made to activation servers in the update in order to fix the problem.

What Is An Activation Error?

Windows Activation Technologies are used by Microsoft to help confirm that the copy of Windows 7 that is a user is running on their computer is genuine.  For example, the activation key is a 25-character code that is located on the Certificate of Authenticity label or on the proof of license label, and validation feature of Activation Technologies is the online process where users must verify that the copy of Windows 7 they’re running on their computer is activated correctly and is genuine.

An activation error, therefore, is when a user’s system wrongly notifies them that their copy of Windows is not genuine.

Which Update?

On 8th January, there was a monthly ‘Rollup’ security update for Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1.  The update was designed to improve and fix certain issues with Windows 7 e.g. fixing a vulnerability known as ‘Speculative Store Bypass’, and adding security updates to Windows Kernel, Windows Storage and Filesystems, Windows Wireless Networking, and the Microsoft JET Database Engine.

Coincidence?

According to Microsoft, the fact that users received “Windows is not genuine”, and “Your computer might be running a counterfeit copy of Windows” notification at the same time as the January updates (KB4480960 and KB4480970) were introduced was simply a coincidence. Despite describing it as such, the problems were listed a table of “known issues in this update” on Microsoft’s support pages.

Reverted The Change

Microsoft announced on 9th January that it has fixed the issue by reverting the change that was made to Microsoft Activation and Validation servers.

What Does This Mean For Your Business?

For many Windows 7 users, the change meant a day of disruption on the Tuesday of the first full week back after the Christmas and New Year break.  For many of these users however, this appears to be one more in a long line of incidents, nudges and pointers that look like they’re designed to encourage them to finally make the switch over to Microsoft’s Windows 10 and its SaaS model. Microsoft ended its mainstream support for Windows 7 on January 13th, 2015, and the extended support will only continue until January 14th, 2020, after which time Microsoft says on its website that users can “keep the good times rolling by moving to Windows 10”.

Contactless Card Fraud Has Doubled

The UK’s fraud reporting service, Action Fraud, has reported that contactless card fraud doubled in 2018 to £1.8m stolen compared with £711,000 in 2017.

Average Theft Amount Increased

The latest Action Fraud figures have also revealed that the average theft through contactless fraud in 2018 rose to was £657, compared with £493 in 2017.

Back in February 2017, figures from UK Finance showed that contactless card fraud had already overtaken cheque fraud, prompting finance experts to warn banks against raising the £30 limit for payments, to avoid incentivising more criminals to steal them.

Contactless Technology

Contactless cards incorporate a special chip that can be read quickly and easily read by a payment terminal (without making direct contact), meaning that entering a PIN is not necessary, thereby speeding up transactions.

How Can Hundreds Be Stolen? I Thought It Was Only Up To £30?

Current rules mean that only payments of up to £30 can be made using contactless technology, and as such, many of the contactless thefts have involved the thieves taking multiple small amounts using the same card so that users don’t notice immediately.

Why The Doubling of Contactless Card Fraud?

Many commentators believe that the simple fact that contactless is overtaking chip and PIN as the most popular way of paying for goods and services now, and that a PIN is not required to use a stolen card are the main reasons why contactless card fraud levels have soared.

Worldpay figures, for example, show that more card payments were made using contactless technology than chip and PIN in the UK over the year from June 2017 to June 2018, and that after increasing by 30% on the previous year, contactless payments are now the most used card payments in shops.  Yolt figures show that 76% of Britons have used contactless payments, and 40% make half or more of their card payments using contactless.

Secure?

Even though UK Finance, the body which represents many banks, is quick to point out that no contactless fraud has been recorded on cards still in the possession of the original owner, contactless cards have robust security features built-in, and that customers are fully protected against any losses from contactless card fraud, the Action Fraud figures still appear to show a security problem.

This problem has not gone unnoticed by consumers.  For example, even though many of us are now used to having and using contactless technology, MoneySuperMarket research from as recently as last September showed that 55% of those surveyed had concerns about the security of tap-and-go technology.

What Does This Mean For Your Business?

For businesses, contactless payments offer the chance to reduce the cost and hassle of having to handle cash, cut queues, increase the speed and hopefully the frequency of transactions (increase footfall), increase average transaction values (ATV), provide a clear audit trail and assured payment, and even (for some types of businesses) the chance to change to better business models e.g. card / contactless only cafes and bars in cities.  For customers, contactless offers a better, more convenient and faster retail experience for the majority of their purchases (£30 and under), which in turn has a positive rub-off value for retailers.

The prevailing trend in developed countries is a move away from cash to cards, and particularly contactless. For example, UK Finance projects that in Britain cash will be used in just one-fifth of all sales by 2026, and Paymentsense has reported the removal of 4,735 cash machines in the last year.

Even though customers may be protected (i.e. re-reimbursed later) if their card is stolen and used by fraudsters, it is still an unpleasant experience to have money removed from their account that can cause financial hardship in the short term and can affect their ability to pay important bills and could have a negative impact on their credit rating.  The Action Fraud figures appear to show, therefore,  that there is a growing problem with contactless card fraud that banks are not yet fully tackling.

Warning – TV Licensing Scam Operating

Action Fraud, the UK’s Cybercrime reporting centre, has warned that fake TV licence payment scam emails have generated 5,247 complaints between 1st October and the end of December, with 1,983 complaints in December alone.

What Emails?

According to Action Fraud, the highly convincing scam involves sending people emails that use headlines such as “correct your licensing information” or “your TV licence expires today”.  In some cases, the email title and contents suggest that the recipient is eligible for a TV Licensing refund.  On opening the email, recipients are encouraged to click on a link to a fake version of the TV Licensing website.

When the victim visits the fake site, they are asked for their personal payment details – account number, sort code, and card verification value (CVV) code.

There have also been reports that victims who have submitted personal details to the fraudsters via the website are contacted a week or two later by the fraudsters who claim to be from the fraud department of the victim’s bank, claim that the victim’s bank account has been compromised, and ask the victim to transfer their money to a new, so-called ‘safe account’.

Some media reports put the amount of cash stolen by fraudsters using this scam in the region of £230,000+.

Official TV Licensing Never Email Customers Unprompted

The spate of fraudulent emails has prompted the real TV Licensing authority to confirm that they never email customers unprompted to ask for personal or payment details or to inform customers of eligibility to any refunds.

Real Glitch Last Year

Some of us may remember that a real security risk involving the genuine TV licensing website was identified back in September 2018 when an Infosec blogger noticed that Google Chrome was flagging the TV Licensing website as insecure.  The blogger estimated that as many as 130,000 people may have been affected by the breach.  TV Licensing then notified customers who accessed its website between 29th August and 5th September 2018 that their personal details may have been stolen but maintains that there was a very small risk of the information having been accessed.

What Does This Mean For Your Business?

This latest scam is one of many convincing scams that use phishing to steal payment details and other personal information. Phishing is one of the most popular cybercrime methods.

Action Fraud advice for avoiding falling victim to this scam includes:

  • Check the sender’s email address – does it look like one TV Licensing would use?
  • Check the subject line and treat any requests such as “action required” or “security alert” with suspicion.
  • Check the Spelling and grammar, as grammatical errors are often signs of scam emails.
  • Look at the style of the emails.  If it appears too familiar or casual, this could be a sign that it is a scam.
  • Check where the link goes – is it the official TV Licensing website?  It is worth remembering that the official TV Licensing authority never emails customers unprompted to ask for personal or payment details.

If you think that you may have fallen victim to this scam, the advice is to report it to Action Fraud by calling 0300 123 2040 or report it through the website here: https://www.actionfraud.police.uk/report-phishing.

Ways to help protect your company against the threat of phishing attacks include education and training of staff to help them spot and deal with phishing, and even using phishing attack simulator tools (such as ‘Attack Simulator’ in Office 365) to help sharpen your organisation’s defences

Concerns Over Huawei and ZTE Equipment and Software

A statement from the Czech National Cyber and Information Security Agency (NCISA) has warned network operators that using software or hardware made by Chinese telecom equipment suppliers Huawei and ZTE could represent a security threat.

Why?

Huawei, which the world’s biggest producer of telecoms equipment, is based in China, and according to the NCISA, private companies residing in China are required by law to cooperate with intelligence services.  This could mean that the products and services of those companies could, in theory, become part of the Chinese state security systems e.g. Huawei and ZTE could be used for spying on behalf of China.

Global Suspicion & Action

According to the Wall Street Journal, espionage chiefs from Australia, Canada, New Zealand, the U.K. and the U.S. (the so-called ‘Five-Eyes’), agreed at a meeting in July this year to try to contain the global growth of Chinese telecom Huawei because of the threat that it could be spying for China.

The US, Australia and New Zealand have barred Huawei Technologies Ltd. as a supplier for fifth-generation networks, and Japan also looks set to ban government purchases of equipment from Huawei and ZTE.

The U.S. government is also reported to have been putting pressure on Deutsche Telekom, the majority owner of T-Mobile US, to stop using Huawei equipment, although the head of Germany’s Federal Office for Information Security (BSI) Arne Schoenbohm is reported to have told German news outlet Der Spiegel that proof is required to substantiate the accusations.

Detained

Meng Wanzhou, the chief financial officer of Huawei, was recently detained in Vancouver at the request of U.S. authorities for violating US sanctions on Iran. The arrest of Meng Wanzhou happened on the same night that President Trump was dining with Chinese President Xi Jinping during the G20 summit in Argentina.  China’s state-run media, and some other commentators have suggested that Meng’s detention appears to be politically or economically motivated.

Response

The response by a Huawei spokesperson to the NCISA warning has been to deny any suggestion that a national security threat is posed by Huawei to the Czech Republic, and to call for NCISA to provide proof of its claims.

What Does This Mean For Your Business?

If the ‘Five-Eyes’ are to be believed, Huawei’s products and network software could have backdoors built-in to them which could, in theory, allow covert surveillance or control, or destruction of phone networks (which are accessible via the internet).  The fear is that those acting for the Chinese state could gain access to the data stored / routed through Huawei devices, telecoms equipment and software, and could even, perhaps, monitor the conversations on mobile phones.

There does, however, appear to be a lack of clear proof for the allegations, and bearing in mind that Huawei is the world’s biggest producer of telecoms equipment, and that its products are popular (this year it overtook Apple in terms of the number of handsets it was shipping worldwide) and that UK stores are still stocking and selling its handsets, the warnings of various governments look unlikely to be heeded for now.  It is worth noting that BT uses Huawei systems as part of its network, but is now is removing Huawei systems from the core of the mobile network EE, which it purchased in 2016.

The advice as part of the recent Czech warning is that system administrators in critical information infrastructure should take ‘adequate measures’ against the threat.  This advice appears a little vague, and until conclusive proof can be produced, many people and businesses will feel that they can decide for themselves what, if any, action to take.

Warnings of Printer Chip-Frying

Swedish YouTube vlogger, PewDiePie, is reported to have inspired some of his 77 million followers to hack 50,000 printers to promote his YouTube channel, and to draw attention to vulnerabilities in their printer firmware that could even be exploited by hackers to ‘fry’ a printer chip.

Messages Sent Through Printers

The vlogger, PewDiePie, primarily wanted to make a point that popular printer firmware has vulnerabilities in it that could leave people open to hacks that could disable and even permanently damage their printer. Also, there is the risk that a printer hack could enable attackers to see and alter potentially sensitive information as it’s printed out.

Thankfully for printer owners, the chosen method of raising awareness by some followers of PewDiePie was to send messages through their printers.  The messages, in this case, asked people to subscribe to PewDiePie’s YouTube channel and asked them to unsubscribe from a rival channel called T-Series.

Could ‘Fry’ The Printer Chip

According to PewDiePie, one of the most alarming risks that people could face thanks to vulnerabilities in the printer firmware is hackers forcing a stream of data to be continuously written by the printer’s chips. Since the chips only have a limited lifespan of ‘writes’, keeping them on such a continuous loop for long enough could overload and ‘fry’ the printer chip, thereby stopping the printer from working altogether.  This would most likely require the victim to purchase a new printer.

Unsubstantiated

Although it has been claimed that followers of PewDiePie have caused 100,000 machines to print out the message, this figure has not been verified, and currently, there is only anecdotal evidence in the form of some Twitter posts from alleged victims in the UK, US, South America, Spain and Australia.  There have, thankfully, been no reports of any printer chips being fried as yet.

Example

One example of how printers can be compromised dates from early 2017 when a hacker named Stackoverflowin was able to take control of more than 150,000 printers manufactured by HP, Brother, Epson, Canon, Lexmark and Minolta, and ordered them to print out a message.

What Does This Mean For Your Business?

This may be a publicity stunt by a YouTube vlogger that is likely to expand the number of his followers, but it appears to have had a serious point about a security vulnerability that could affect your business or home printer. Back in August, for example, it was discovered that hundreds of HP inkjet printer models were in desperate need of firmware patches, and this latest stunt may help to prompt enough questions from printer owners to motivate printer manufacturers to take another look at their firmware, and for printer owners to seek out patches that may already be in existence.

Smart Botnet Detection Needed

For businesses to maintain an effective cyber defence, the ability to prevent, detect and stop smart botnets in real-time is now an important consideration.

What Is A Botnet?

A botnet is a term for multiple malicious mini-programs working together to take over large numbers of computers and digital devices for different purposes e.g. stealing data and / or launching attacks, or in the case of DDoS attacks, shutting down servers (and the websites on them) by bombarding them with requests (a flood).  Botnets also sap electricity and computing power as they work.

How Big Is The Problem?

According to DDoS protection provider Link11, DDoS attacks (launched using botnets) on e-commerce providers showed an increase of more than 70% on Black Friday compared with other days in November this year, and Cyber Monday attacks showed a massive increase of 109% compared with the November average. Botnets have also shown a move towards the Internet of Things (IoT).

Last year saw a huge growth in the use of botnets.  For example, Spamhaus figures showed that the number of command and control (C&C) servers used for managing IoT botnets more than doubled, going from 393 in 2016 to 943 in 2017.

The increase in the use of botnets has been driven by factors such as the availability to cyber criminals of very cheap and easy to operate rent-a-botnet services booter or stresser botnet services, and the proliferation of IoT device with sub-standard security that can be used in attacks. Cyber criminals also use various amplification techniques to increase the impact of their attacks.

Characteristics Of Botnets

The characteristics of botnets and how they are made can provide the key to detecting them and preventing them. For example:

  • Some have a long ‘dwell time’ (the time the malicious program sits on a device before it’s activated), and they need to communicate to work. Communication often involves the use of command and control servers. Disconnecting communications between bots and their botnet command and control servers has, therefore, been a way of stopping them.  New smart bots, which create peer-to-peer networks, can be more difficult to stop.
  • Botnets use processing power.  If suspicious processes that take up a lot of memory are spotted, and / or if devices appear to slow down, this can be an indicator that the device has been compromised and a botnet is awake and active.

Turned To Crypto-Mining

A recent security bulletin from Kaspersky Labs states that botnets are now increasingly being used to distribute illicit crypto-mining software, and that the number of unique users attacked by crypto-miners grew significantly in the first three months of 2018. The malware used for mining is designed to secretly reallocate an infected machine’s processing power to mine cryptocurrencies, with all the proceeds going to the attacker.

What Does This Mean For Your Business?

With cyber-crime, prevention is better than cure, and being able to detect signs of attacks early is vitally important. Security commentators suggest a focus on security measures that prevent initial infection and lock-down unnecessary trust permissions. Businesses may also benefit from using security technologies that can detect, alert or block botnet activity in real-time, and by continually analysing network traffic and local system logs.

Inspecting devices and checking for any suspicious processes that appear to be taking up taking up a lot of memory may also be a way to detect botnets that have already slipped through the net and are active.

Google Chrome’s ‘Incognito’ Mode Not So Incognito

Research by Internet Privacy Company DuckDuckGo is reported to have produced evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

Incognito Mode

Going incognito (private browsing mode) in Google Chrome means launching a separate ‘Incognito’ browser window by going to top right (the 3 stacked vertical dots icon), > New Incognito Window.  According to Google, by using this browser window Chrome won’t save your browsing history, cookies and site data, or information entered in forms, any files you download and bookmarks you create will be kept, but your activity isn’t hidden from websites you visit, your employer or school, or your internet service provider.

The DuckDuckGo Research

In the DuckDuckGo research, several volunteers were given controversial topics, such as gun control, vaccinations and immigration to search for using an Incognito browser window in Google Chrome. The searches were made both logged in to their Google accounts with Incognito Mode activated and logged out.

The Assumption

The assumption that many users may have is that being logged out of Google and using Incognito mode will keep searches totally private.

The Results

The reported results essentially showed that each person got different results.  This could indicate that Google is still able to still personalise searches in Incognito mode, which could mean that Google still has some access to searches which the user may believe are private.

The results may be seen to support the fact that even when signed out, and using Incognito / private browsing mode, websites can use IP addresses and browser fingerprinting to identify people.

Vanderbilt University Research In August

This latest DuckDuckGo research appears to support the findings of previous research from August by Vanderbilt University in Nashville (organised by Digital Content Next). This research found that if users sign into a website while using a private browsing window, the details of that login are still sent to Google, and Google could retroactively identify it from the username and other account data used during the session.  Also, the results of this research suggested that adverts served up by Google’s advertising can be linked to the cookies created both in and out of Incognito mode.

It must be said that Google reportedly described the findings of the Digital Content Next / Vanderbilt University research as misleading.

What Does This Mean For Your Business?

For Google, as a business that wants to sell and maximise revenue from targeted advertising, which is something that could be significantly improved with refined data and targeting technology, it is conceivable that it would want to collect detailed information from many sources, perhaps including that from Incognito searches.  The results of the DuckDuckGo research and previous research could be interpreted as showing that this is happening, and that Incognito mode may not be as secret as many users had imagined.  For advertisers using Google’s services, it is obviously in their interest that Google can offer highly targeted advertising services, but it is up to advertisers to decide whether they think Incognito mode search data should be a legitimate source of targeting data.

It is also worth noting that, in this case, DuckDuckGo is an Internet privacy company that has its own search engine to promote, which it describes as “the search engine that doesn’t track you”.  See https://duckduckgo.com/.

SIM Swap Scam Warning

A recent investigation by BBC TV’s Watchdog Live revealed evidence that some mobile phone shop staff are not conducting proper ID checks for replacement SIM requests, thereby enabling some customers to become victims of SIM swap scams.

What is a SIM Swap Scam?

SIM swap scams are believed to have been in existence for the last four years in one form or another.  In its current form, the SIM swap scan happens when a fraudster goes into a mobile operator’s shop and claims a false identity i.e. the identity of one of that operator’s customers.  The fraudster knows that the person they are claiming to be is a customer of that operator because of personal details that have been stolen in previous malware or cyber-attacks, and those details have been posted or sold on the dark web.

In the shop, while pretending to be that customer, the fraudster claims that their phone has been lost or stolen and asks to be issued with a replacement SIM. Once the fraudster has the replacement SIM, the victim’s SIM no longer works, and the fraudster can then access any online service that requires security codes to be sent to the phone, as well as being able to access any other of the victim’s personal details that are stored on the SIM.

In the past (London 2016), a similar version of the scam worked when fraudsters used an intercepted bank statement from the victim (or information found on social media) to call the person’s mobile operator, pass security checks, and get a blank SIM card.  The fraudsters were then able to access the unique codes sent by the victim’s bank to log into their account and transfer funds.

What Should Happen When Someone Requests a Replacement SIM?

At the moment, mobile operators should conduct i.d. checks for replacement SIMs, but it is not compulsory.  Also, the Watchdog Live investigation revealed that checks for contract customers and Pay As You Go customers may differ.  For example, O2 said that it only asks for photo ID when replacing SIMs on monthly contracts, and that Pay As You Go customers will be sent an authorisation code if someone is trying to access the number.

What Happened in Reality?

In the investigation, which involved the secret filming of Watchdog Live’s own ‘King Con’ former fraudster in multiple EE, O2, Three and Vodafone stores, EE and Three staff conducted all the necessary checks, but Vodafone blamed rogue employees for not doing so.  Also, replacement SIMs were obtained from O2 stores and the authorisation codes that the company says it sends out were not received.

What Does This Mean For Your Business?

It appears that this relatively old fraud is still very much alive and is a reminder of how valuable our personal details can be to criminals. Bearing in mind how serious this fraud can be to the victims, it is shocking that photo ID checks for replacement SIMs are not made to be compulsory for all operators in all situations.  Mobile operators could help themselves and customers by introducing compulsory measures and by making sure through training and in-built systems that all staff conduct satisfactory checks.

It is also worrying that the investigation appears to have revealed a two-tiered security system, with Pay As You Go customers afforded less protection.

In the meantime, one way that we can help ourselves is to regularly check both our phone and bank statements, and if you have a contract with e.g. O2, contact them to confirm that no replacement SIMs have been issued in your name.