SIM Card Tricksters Target Mobile Payments

Print
Email
Reprints
Comments (3)
Twitter
LinkedIn
Facebook
Google+
Partner Insights

The criminal activity that targets mobile banking has not yet reached the levels of web banking, mostly because the volume of mobile banking to this point hasn't made it as attractive a target.

But as mobile banking grows, that's starting to change — particularly since mobile banking is vulnerable to a wide variety of criminal threats. A new strain of crime that tricks users out of their subscriber identity module (SIM) cards has quickly emerged to threaten banks and other enablers of mobile payments such as telecoms.

"This special attack involves stealing information to generate new SIM cards," says Orem Kedem, a director at the security firm Trusteer, who described the threat in a recent interview. Kedem says the new attacks on SIM cards grew out of an earlier criminal threat that uses the victim's mobile number to redirect one-time passwords (OTPs — a method to protect electronic transfers) to the crook's phone.

A SIM card is a small smart card that can be moved from one phone to another. It can be used to store a key used for authentication purposes. SIM cards are the favored method of securing mobile payments at ISIS and other telecom-driven mobile payment schemes around the world because the telecom provider maintains more control over the technology. Other strategies, such as embedding mobile phones with NFC, would give handset manufacturers such as Apple more control.

In the new SIM card attack, a Gozi Trojan is used to steal international mobile equipment identity numbers (IMEI) from account holders when they log into the mobile banking application. Once the crook has acquired the IMEI number, he or she contacts the wireless service provider, reports the mobile device as lost and asks for a new SIM card. Once the crook gets this new SIM card, all OTPs intended for the victim's phone are sent to another mobile device that's now controlled by the crook.

Avivah Litan, a vice president and analyst at Gartner, says the SIM cards and the NFC chips that are embedded in the secure element (where the user data is stored) are highly secure. "The vulnerabilities and issues come from the business processes and applications that surround them. In this case, it's good old fashioned social engineering that defeats the strong technical security. People and processes are always the weakest links and this is no exception. Sure, mobile payments will open up the possibility of lots of new types of attacks that exploit processes, people and applications that make use of chip functionality."

Kedem says one option for the carriers is to use strong authentication — or verification in a second venue — for SIM card issuance.

"Mobile carriers are not set up to be issuers of credit cards, they don't have the processes for that. They need to set up similar password protections similar to credit card issuers. That's a whole new ballgame," he says. ISIS did not return requests for comment by Monday morning.

The mobile banking industry in general is still behind the curve in terms of security. In an earlier interview with BTN, Aaron Mcpherson, practice director for IDC Financial Insights, said the lack of attacks played a role in lagging security and antivirus technology, but that that would change soon. MacPherson predicted the growing popularity will spur breaches that will drive interest in security software.

JOIN THE DISCUSSION

(3) Comments

SEE MORE IN

RELATED TAGS

Five Mobile App Features that Show Yes, Banks Can Innovate

Fintech startups claim to out-innovate banks. But financial institutions sometimes break new ground. Here are five examples of banks that are testing and launching mobile app features capable of much more than showing an account balance.

Image: iStock

Comments (3)
I don't think carriers have zero-liability policies, so they don't have the same motivations banks do to shore up their defenses against fraud. --Daniel Wolfe, Risk/Technology Editor, American Banker
Posted by dwolfe | Monday, March 19 2012 at 4:17PM ET
How can a crook get a new SIM card just by furnishing the IMIE number to the Mobile service provider. I know they check the identity of the account holder. So crook has to obtain the identity also along with the IMIE to perform this fraud.
Posted by sanjay s | Tuesday, March 20 2012 at 8:46AM ET
ValidSoft announced a world's first SIM swap fraud solution for banking industry back in May 2012. Avivah Litan was also interviewed then. A practical application of a Sim Swap fraud prevention solution can be read in Payments Source at http://www.paymentssource.com/news/ValidSoft-Tackles-Emerging-Threat-From-SIM-Card-Swap-Mobile-Banking-Fraud-3010827-1.html
Posted by Filsjean | Friday, October 19 2012 at 10:45AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.