topic Re: Re: Sim Swap Fraud in Security

Re: Sim Swap Fraud

RonlWeasley — Thu, 11 Jul 2024 07:56:41 GMT

This perhaps deserves its own thread but EE's security measures (or lack thereof) are truly dire. Still no 2FA to login to your account, for example. In 2024 this is mind bogglingly abysmal.

Today I heard that other networks are introducing a "SIM lock" facility whereby in their app you can put on a SIM lock which prevents porting your number to a new device or to another network. Sounds like a brilliant idea to me which would eliminate SIM swap fraud. Of course you just switch off the lock if you want to change phone or leave the network, and switch it back on again when you have a new phone.

Where are EE with such a feature? Presumably nowhere since despite their claims otherwise, their inaction over 2FA, despite YEARS of complaining about it, clearly demonstrates they do not give a toss about their customers' security.

Re: Re: Sim Swap Fraud

bristolian — Thu, 11 Jul 2024 08:12:18 GMT

The most recent update to myEE app includes a non-reversible option to setup 2FA

Re: Re: Sim Swap Fraud

RonlWeasley — Thu, 11 Jul 2024 16:50:20 GMT

Well thank goodness for that. Only took 2 years of complaining!

Shame they only implemented the weakest possible form of 2FA, I.e. sms message, which is of course itself vulnerable to sim swap and other hacks. Would it have been too much to ask after all this time for them to support authenticator codes, webauthn with e.g. Yubikey, or even Passkeys? It is 2024 after all.

But no, crappy old SMS.

Re: Re: Sim Swap Fraud

bristolian — Thu, 11 Jul 2024 16:59:50 GMT

@RonlWeasley wrote:

But no, crappy old SMS.

One person's "crappy" SMS is another's "trusty" SMS.

SMS is a fairly standard method, accepted by financial institutions.

SIM-swap fraud is the very reason EE & other operators have very strict processes for replacement SIMs. There's several posts a week on here from users bemoaning the security attached to SIM replacements. I often wonder how much more vocal those users would be, if those processes were not adhered to & SIM-swaps were more open to abuse.

Re: Re: Sim Swap Fraud

RonlWeasley — Fri, 12 Jul 2024 08:38:57 GMT

Your post is somewhat ironic in a thread where the original posters are sim swap victims!

The fact that some banks also have pitiful security measures, provides zero comfort. It’s just so lazy. I am not saying EE should mandate the use of an authenticator app for 2FA or passkeys or whatever. But to have the option would be nice, wouldn’t it.

The plain, objective fact is that as far as security methods go, 2FA with SMS is the least secure of any 2FA methods, and much less secure than passwordless with WebAuthn or Passkeys. I don’t know why anyone is so keen to defend what is a poor situation.

Re: Re: Sim Swap Fraud

bristolian — Fri, 12 Jul 2024 10:52:56 GMT

@RonlWeasley wrote:

Your post is somewhat ironic in a thread where the original posters are sim swap victims!

Your post was the first in this thread.

There is a balance to be struck between security & ease of access. I'm yet to see a reasoned argument as to why SMS is insecure, but am always open to persuasion.

Re: Re: Sim Swap Fraud

angryoap — Sat, 13 Jul 2024 16:49:49 GMT

Strict processes in place?? I am the victim of a swim swap fraud by EE. I received an SMS from EE asking if I was speaking to an adviser. I immediately rang them from my phone and informed them I was not, they noted this on my account, however, the scammer rang again around 30 minutes later obviously from a different number claiming the phone I had just rung from wasn't working and they issued them with a PAC code immediately over the phone. The following day, some 16 hours later, I received an SMS saying my PAC code had been issued as requested (I never received the actual PAC code). This 16 hour gap in sending an SMS to the actual number on the account gave the scammer time to activate the sim swap. It's been a total nightmare for me. I am in my 70s and not in the best of health with a husband undergoing cancer treatment. Did EE care? Not in the slightest, apparently, it was all my fault. Can someone please explain this to me??

Re: Re: Sim Swap Fraud

angryoap — Sat, 13 Jul 2024 17:04:10 GMT

Please read my response above. It appears from what I was told by EE security that, despite my ringing to warn them there might be someone trying to access my account and it being noted on my account, if that person rings again and manages to pass security, my warning has no bearing on anything, this is despite the scammer claiming the phone wasn't working yet I'd called EE from that very phone 30 minutes earlier. You can't win with EE, they take no responsibility whatsoever for their actions. If SMS worked, the scammer would never have been issued with a PAC code. I cannot stress the impact that EE's actions have had on myself and my husband. The only thing we got from EE was an offer of £50 compensation which, if we accepted, would mean we couldn't take any further action. I'm sure I don't need to elaborate on what my response to this was!

Re: Re: Sim Swap Fraud

Leanne_T — Sun, 14 Jul 2024 06:33:51 GMT

Hi there @angryoap

I am very sorry to hear you have been a victim of fraud at such a difficult time, and I understand what a stressful experience this can be.

When you called did our fraud team investigate the SIM swap and reverse this for you to get your number reinstated on EE?

Did you open a complaint with our mobile guides or online and speak to our complaints team?

You can view information on account takeover and advice on our Fighting Fraud, Help page.

Leanne.

Re: Re: Sim Swap Fraud

angryoap — Sun, 14 Jul 2024 11:59:03 GMT

I reported it immediately and opened a complaint. Yes I eventually got my number reinstated a few days later but not before the sim swap had been activated, therefore, allowing the scammer to take over my number. It took EE some 16 hours to send me an SMS message saying a PAC code had been issued. Had I been notified immediately, the sim swap could have been stopped before the scammer gained access to my number. As mentioned in my previous posts I had notified EE that there may be fraudulent activity on my account some 30-40 minutes before they issued a PAC code to the scammer over the phone. The scammer was obviously ringing from a completely different number. I was put through to your 'Executive' Claims Department who were of little help. Just offered me £50 compensation. When I turned this down they issued me with a Deadlock Letter and, as far as they were concerned, that was the end of it. Bearing in mind, as I've said, I am in my 70s and not in the best of health and my husband, whose phone was also on my account is, and was at the time, undergoing gruelling cancer treatment I felt we were treated appallingly by EE.

Re: Re: Sim Swap Fraud

Leanne_T — Sun, 14 Jul 2024 13:37:01 GMT

I am very sorry to hear this @angryoap

Please see our Regulatory documents and codes of practice for the EE Complaints Code of Practice for help going forward.

Leanne.

Re: Re: Sim Swap Fraud

NW69 — Mon, 15 Jul 2024 17:26:12 GMT

I don't think their processes for replacement SIMs are that strict. My SIM card was hacked. If someone loses a phone with a SIM card in then they should wait until a new SIM card is mailed out to them. I'm not sure that happens ...

Re: Re: Sim Swap Fraud

NW69 — Mon, 15 Jul 2024 17:27:03 GMT

When your number gets hacked/ported over, then you'll understand why SMS is insecure. (And yes, this happened to me ...)

Re: Re: Sim Swap Fraud

RonlWeasley — Mon, 15 Jul 2024 17:34:36 GMT

My apologies - seems my post was moved to a new thread. I had originally posted it in a reply to a thread about SIM swap fraud.

Anyway, one of the many disadvantages of SMS based 2fa is here for all to see. Had EE implemented WebAuthn or Passkeys, this could not have happened.

Re: Re: Sim Swap Fraud

bristolian — Mon, 15 Jul 2024 18:02:45 GMT

@RonlWeasley wrote:

Anyway, one of the many disadvantages of SMS based 2fa is here for all to see. Had EE implemented WebAuthn or Passkeys, this could not have happened.

I don't see any evidence of SMS as a delivery mechanism being inherently insecure. Delays in sending an SMS are a different issue.

Re: Re: Sim Swap Fraud

angryoap — Mon, 15 Jul 2024 18:58:59 GMT

I can give you another example from someone who posted on here before me who was also the victim of a sim swap fraud. He was on a flight at the time the SMS was sent so his phone was in airplane mode. By the time he landed and saw the SMS it was too late and the transfer went ahead. Can you imagine being in a foreign country and finding your phone provided has authorised a sim swap to a scammer? If someone is not calling from the actual phone number on the account there should automatically be at least a 24 hour wait before the PAC code is issued or the person calling should be made to visit an EE store with ID.

Re: Re: Sim Swap Fraud

bristolian — Mon, 15 Jul 2024 19:01:58 GMT

@angryoap wrote:

I can give you another example from someone who posted on here before me who was also the victim of a sim swap fraud. He was on a flight at the time the SMS was sent so his phone was in airplane mode.

Again, I don't see how this is the fault of SMS as a delivery mechanism. Phones that are in flight-mode don't have an internet connection for any app-based authentication either.

Re: Re: Sim Swap Fraud

angryoap — Mon, 15 Jul 2024 19:53:43 GMT

No they wouldn't have access to any other way of authenticating the request which surely would result in EE not issuing the PAC code? EE should make allowances when they send an SMS that can have such a catastrophic affect on the account holder if they are not in a position to respond immediately. Not everyone is glued to their phone 24 hours a day or has access to it. To simply send an SMS to the account holder and, if they don't respond immediately, issue a PAC code to someone not in possession of the phone linked to that account is, in my opinion, grossly negligent. Through no fault of the account holder they find themselves in a position where a scammer has taken over their identity, is trying to empty their bank accounts, take loans out in their name etc etc. In what circumstances can it be so urgent for someone who is not even in possession of that phone to obtain a PAC code?

Re: Re: Sim Swap Fraud

RonlWeasley — Thu, 18 Jul 2024 21:40:56 GMT

You should read up about it.

For starters, your number can be spoofed and the code intercepted, and also you are vulnerable to man-in-the-middle attacks whereby you unwittingly key the sms code into a hacker’s reverse proxy website. There are many other inherent flaws.

WebAuthn with e.g. Yubikey or alternately Passkeys, fixes these vulnerabilities completely since the authentication credentials are not sent by the site you are logging into, they are created locally. Further, the local verifying software will not surrender the credential unless the requesting website is validated, so it eliminates MITM vulnerabilities as well.

Honestly SMS 2FA is rubbish.

Re: Re: Sim Swap Fraud

bristolian — Fri, 19 Jul 2024 07:15:35 GMT

@RonlWeasley wrote:

For starters, your number can be spoofed and the code intercepted

SMS is no more-or-less susceptible to interception than voice calls, routing is based on the same central network lookups.

Many of these attacks are based on malware or other device-based interception, and not network-based "hacking" which some popular misconception suggests. To the best of my knowledge, there have been no documented cases of SMS being sent to a mobile phone incorrectly.

All of this is why access to a particular SIM is crucial to unlocking access to an individual number.