The Times 7 December 2019 - article by Kenza Bryan
Intelligence services have warned
banks not to use text messages to send secret codes that allow customers to
transfer cash, Times Money has learnt.
The cybersecurity branch of GCHQ says
that the use of SMS phone messages to verify payments is putting people’s money
at risk from a scam known as Sim swapping. Scott Taylor, a fraud prevention
expert at Fico, a data analytics company, says: “SMS was not developed for
secure messaging and everyone knows that.”
The number of reported Sim swaps,
where fraudsters get your phone number moved to their Sim cards and use
intercepted text messages to transfer money, went up 1,832 per cent between
2016 and 2018, from 161 to 3,111 cases. Action Fraud, the national crime
reporting centre, says that although the number of cases this year has
fallen to 720, the average amount lost in each scam has risen dramatically from
£938 last year to £3,011. Nearly £9.2m has been lost in Sim
swapping scams over the past five years.
Under EU rules introduced in
September, banks need to use a second form of checking — known as two-factor
authentification — before approving payments of more than £27. They can choose to do this however
they like, but Lloyds, TSB and Barclays, the Co-Operative Bank and Santander
have started sending codes by text, among other methods that include mobile
banking apps. Customers in rural areas with mobile phone or broadband blackspots
can ask for voice messages over landlines or a code through handheld card
readers. HSBC says it relies chiefly on text messages for authenticating card
payments.
In October a representative of the
government’s National Cyber Security Centre (NCSC), which advises business on
fraud and hacking risks, told mobile industry experts that it had warned banks
and phone companies about using SMS technology for authentication. Lee Suker, a data protection officer
at the analytics company Mobile Squared, says: “The representative said SMS was
not designed to carry secure messages and that the banks should look for other
secure authenticators.”
Suker said the forum was told that
there had been “a clear recommendation to UK Banks and UK Mobile operators that
SMS should not be used”. The NCSC would not confirm what it
said at the conference, but pointed to a report published by the intelligence
agency two weeks ago.
It says: “There has recently been a
rise in the sophistication of SMS-interception attack, with multiple financial
institutions and communications service providers being affected.
The number of Sim swaps reported rose by 1,832 per
cent between 2016 and last year
In another report last month, it
warned that SMS technology was riddled with “inherent weaknesses”. It also said
that banks should not send high value codes over SMS when a customer’s phone
was roaming abroad.
Lee Suker, a data protection officer
at the analytics company Mobile Squared, told Times Money:
“The representative said SMS was not designed to carry secure messages and that
the banks should look for other secure authenticators.” Suker said the forum was told that
there had been “a clear recommendation to UK Banks and UK Mobile operators that
SMS should not be used”.
Sim-swap scammers get bank details
and phone numbers from criminals operating on the dark web or by convincing
victims to hand over information. They then trick phone companies into transferring
the victim’s phone number to a new Sim and use the bank details and the
verification code to transfer funds. By the time victims notice that their
phone is not working, the scammers have often transferred thousands of pounds. Text messages are sent over less
secure networks than message sent over services such as WhatsApp, which are
encrypted.
Last month Times Money
was given access to a declassified FBI document that
warned against the “common tactic” of Sim swapping after an Irishman was alleged to have used Sim swaps to
help to steal cryptocurrency worth more than $2 million (£1.6 million) in the
US.
One Money reader, Phillip Dudden, had
more than 20,000 stolen from his bank account last year after Sim swappers took
control of his phone number when he was working in Morocco. Another reader,
retired chief police officer Robert Golding from Hampshire, lost £11,500 in
March after Tesco Mobile passed control of his number to a fraudster posing as
him.
The NSCS says: “While any two factor
authentification is better than none, for some years we have recommended that
it is set up through authenticator apps or hardware tokens [card readers] which
we would recommend as a stronger alternative.
“While in some situations SMS-based
authentication may be more accessible for some users, it is less secure and
risks not being received due to poor mobile signal.” UK Finance said: “Two-factor
authentication will add an additional layer of protection for online
transactions.
“The industry is working hard to
implement these changes in a way that balances both convenience and security,
with many firms rolling out mobile app-based solutions or biometric
technologies.”
