Well known food writer, Jack Monroe, has reported falling victim to criminals who were able to steal £5,000 from her bank and payment accounts in a “Simjacking” attack.
What Is Simjacking?
Simjacking, simswapping or ‘phone hijacking’ involves criminals being able to port a person’s mobile phone number over onto on another SIM card. This is often carried out by criminals who, armed with the necessary personal data of an intended victim, go to a phone shop and pose as a customer who wants to switch to a different mobile provider but keep their existing phone number.
In some cases, it may involve mobile operator or phone shop staff members being paid to carry out the crime. One of the first clues that you may be a victim of Sjmjacking is when your phone suddenly stops working.
In Jack Monroe’s case, the food writer said in a Tweet that her card details and PayPal information were taken from an online transaction which meant that when her phone number was ported onto a new SIM, the criminals were able to “access/bypass authentication” and therefore authorise payments from her account. In another Tweet, Jack Monroe appears to imply that her date of birth may have been found by the criminals on Wikipedia.
With £5,000 being taken, Jack Monroe Tweeted that, despite being “absolutely absurdly paranoid about security”, not using publicly available email addresses on any financial accounts, using “gobbledegook” letter/number/special character passwords and having two-step authentication on all accounts, the criminals were still able to make purchases and withdraw cash using her account.
Jack Monroe Tweeted the amount taken, saying that the criminals had “HELPED THEMSELVES to around five thousand of them” (pounds). “Total figure not in yet. I’m so white-hot angry”.
Problem Not Addressed
The fact that the crime was committed against a celebrity and has been widely reported appears to have ignited discussion about an area that some feel the mobile industry may not have been addressing.
Mobile Connect – Alternative
The reports have also highlighted possible alternative mobile authentication systems that are available. One example is Mobile Connect, the GSMA’s secure universal log-in solution that matches a user to their mobile phone and is believed to represent a new standard in security.
What Does This Mean For Your Business?
The fact that simjacking is still quite a common crime, and not just in the UK, could highlight the fact that the mobile industry is not putting in enough effort and resources to eradicate the problem. In the UK, some commentators have called for an investigation by the Information Commissioner’s Office (ICO) to see if mobile operators are meeting their obligations to safeguard services and data under telecom privacy rules and GDPR.
The GSMA’s Mobile Connect secure login solution, if adopted and championed by mobile operators and banks, could be one way that the challenges of a lack of collaboration and standardisation have posed to security (such as the security problems and breaches that are at the heart of crimes like Simjacking/phone number hijacking) can begin to be tackled.