Opinion | The curious cases of SIM swap frauds in recent times

The digital era has ushered an unbreakable marriage between our finances and the mobile phone. In the past five years or so, India has dramatically changed the way it transacts and accesses finances, largely driven by the current government’s push towards a digital economy.

India managed to connect over 500 million people to the internet in 2019 and, not surprisingly, 97% of these users have access to the internet from their mobile phones, according to a March 2019 report released by Kantar IMRB ICUBE, a market research and consumer consulting organization. Over 50% of these internet users are from rural India, which is a significant achievement when it comes to digital inclusion, the report added.

Moreover, according to the World Bank’s 2018 Global Findex Database, over 1.18 billion people own a mobile phone in India, which is over 90% of the population. Most of these mobile phone users are expected to own a bank account. Out of these, smartphone users (over 250 million in 2019) are expected to own a credit card or a digital wallet or both. In 2018, over 80% adults were expected to have a bank account.

The underpinning fact is that today mobile phones are linked to almost all financial interfaces. For instance, text SMSes are still the primary mode of communication for authentication or transaction alerts.

This also increases the risk factor. Every single banking customer is at risk today as mobile operators have inconsistent identity verification processes at various circles and their own employees are at the risk of collusion with the fraudsters.

In recent times, there has been an increase in the number of SIM swap frauds, which has resulted in many Indians losing substantial amounts lying in their bank accounts to fraudsters. For instance, in June 2019, a senior citizen lost ₹25 lakh from his bank account owing to a SIM swap fraud. This happened when his mobile phone suddenly lost connectivity to the telecom operator. When he raised the issue with the operator, he realized an unknown entity—a fraudster—had got a duplicate SIM for his number issued by using fake documents and had activated the senior citizen’s number temporarily. The fraudster used the mobile number to generate one-time passwords (OTP) to fraudulently gain access to the senior citizen’s bank account and transferred money to accounts of other banks from which cash withdrawals were made using the ATM.

The modus operandi of a SIM swap fraud is very simple. Identify the authentication process of a bank, collect some basic information about customers using social media such as name, date of birth and family details. Use social engineering to gain additional details such as card expiry date and use false documents to get a duplicate SIM card issued from the operator to gain access to the most elusive OTPs.

Gaining access to passwords is very simple for such fraudsters. Most individuals use the same password on multiple websites. Many such websites get breached on a regular basis and passwords of all users are often sold or dumped on the dark web. Fraudsters also use popular instant messaging apps like WhatsApp to send links to malware on mobile phones by fraudulently changing the display picture and name on WhatsApp to that of a known person to the victim. A few days of planning and execution does the trick.

As a precaution, one may use a separate mobile number for financial transactions and not circulate it for other purposes. Android users should carefully select SMS permissions to allow only the banking app and main SMS app permissions to read SMS messages. iPhone users need not worry about SMS permissions as much but need to ensure that SMS previews are not allowed on the lock screen. Some banks used to provide a soft token app instead of SMS messages, but most have now discontinued this feature for some reason. For example, ICICI Bank Ltd used to have the iSafe app for OTP generation in lieu of SMS OTP but this app is discontinued. HSBC, for some customers, issues a physical OTP token device for two-factor authentication which adds another layer of security. Lastly, one should not use simple and common passwords on banking sites and use biometric-based password management tools. Avoiding public Wi-Fi to access financial websites is another precaution one could take.

Amit Jaju is senior managing director, FTI Consulting