Crim­i­nals want to get their hands on your SIM card – and then your bank account

Hackers steal or copy SIM cards and abuse them to obtain access to apps and bank details. Such an attack usu­ally starts with a phishing message.

Some US-$ 68 mil­lion have been scammed out of vic­tims by fraud­sters in the USA, using the so-called SIM swap­ping trick. In the process, they either steal or copy their vic­tims’ SIM cards and abuse it to obtain access to apps and bank details (source: Heise Secu­rity, 20 Minuten).

Cases of SIM swap­ping, even if com­par­a­tively few, have also come to light in Switzer­land. The ini­tial attack usu­ally involves phishing mails, texts or Mes­senger mes­sages con­taining a link to a fake web­site run by the attacker. This is where inno­cent users are asked to enter their mobile provider details and/or access data to a cer­tain online ser­vice or their e-banking facility. Some­times access data obtained via data leaks are also bought en masse (for instance on the Darknet).

Since e-banking por­tals and other online ser­vices increas­ingly make use of two- or multi-factor authen­tifi­ca­tion (2FA, MFA), attackers will need user name or account number and pass­word on the one hand plus a SIM card either stolen or reordered from the mobile provider, so they can inter­cept and use the second secu­rity factor. Data and SIM cards thus stolen or obtained some other way are then used by fraud­sters to obtain illegal access to rel­e­vant e-banking por­tals or online services.

Pro­tect your­self by ...

• never using any links you receive by e-mail, SMS or mes­senger ser­vices or obtained by scan­ning in a QR codes to log into your finan­cial insti­tu­tion facility or any online service.
• never filling in any forms received by e-mail and asking you to enter log-in information.
• treating e-mail and SMS attach­ments with great caution.
• never dis­closing any con­fi­den­tial infor­ma­tion, such as pass­words, during tele­phone calls.
• always entering the address for your online ser­vice provider or finan­cial institution’s log-in page man­u­ally via the browser address line.
• checking there is an SSL con­nec­tion (https://, lock symbol) when calling up a log-in page, and ver­i­fying that the Internet address shown in the address bar of your browser actu­ally indi­cates that you have reached the cor­rect page.
• never leaving your mobile device out of sight and having a device or SIM card blocked imme­di­ately if lost or stolen.
• con­tacting your finan­cial insti­tu­tion if you are not quite sure or some­thing is not com­pletely clear.