United Kingdom

Details

  • Service: Advisory, Risk Consulting
  • Type: Business and industry issue
  • Date: 20/03/2014

Account takeover fraud – NFIB update 

Russian and UK organised crime gangs are using Trojan software and cloned SIM cards to withdraw funds from thousands of bank accounts. That’s according to the National Fraud Intelligence Bureau (NFIB).

Over 18,000 cases of account takeover fraud were reported to the NFIB in the year to February 2014 – two per hour each day.

 

These two-pronged attacks exploit overlapping weak controls in banks and mobile phone operators.

 

Accesing bank accounts

 

The fraud begins when ordinary internet users download Trojan software onto their computers or smart phones. This can happen when you download something which claims to be legitimate, but instead does something malicious.

 

Russian organised crime groups are using certain Trojans to steal personal data, according to the National Fraud Intelligence Bureau (NFIB). One thing Trojans do is to record a copy of everything you type in – including your phone number and online banking passwords.

 

British fraudsters then buy a copy of the data. They can use this to log into your bank and gain access to your funds. But the fraudsters cannot take the money straight from your account without you knowing or setting off monitoring systems.

 

So they will set up a second account under your name, parallel to your main account. This can happen quickly, often on the same day. Your bank will think the request is genuine and they have already completed their anti-money laundering (AML) checks on you. You may never notice the new account exists.

 

Fraudulent authorisation

 

With the new account set up, the fraudsters pass your details on to a ’SIM splitter‘ to withdraw your funds.

 

SIM splitters use open-source internet research to find out more about you. They are looking for answers to possible security questions your bank or phone company might ask – your date of birth or your mother’s maiden name.

 

They will also find out which mobile phone company you use. Sometimes they can get this from online sources. Other times, they will look at the direct debits shown on your bank statement.

 

Then the SIM splitter will clone your phone number. They will contact your network and say your phone is lost or damaged. They will obtain a new SIM card with your number, either from a phone shop or from an insider.

 

Before you notice any change, they transfer the funds out of your bank account, via the new account they set up. When your bank phones up for authorisation, the call goes through to the new SIM card. The splitter picks it up, answers any security questions, and approves the transfers. 

 

Possible responses

 

Tackling account takeover fraud is likely to require tighter identity checks, suggest the National Fraud Intelligence Bureau (NFIB).

 

And any action taken to crack down on identity fraud should also help prevent account takeovers. Some phone companies will ask for photo ID before replacing SIM cards. However, they do not always hold copies of the original customer’s ID, so they run the risk of accepting fake IDs.  

 

Options for tighter checks could include:

 

  • Contacting the number reported lost/damaged before issuing a replacement SIM card
  • Giving the existing customer longer to report that their phone has been disconnected, before activating replacement SIM cards
  • Limiting their employees’ access to customers’ answers to security questionsnations or investments may be misused if funds are not used for the purposes of the project

 

And any action taken to crack down on identity fraud should also help prevent account takeovers. Some phone companies will ask for photo ID before replacing SIM cards. However, they do not always hold copies of the original customer’s ID, so they run the risk of accepting fake IDs.

 

Share this

Share this

Contact Us

 Tom Curtis

 

Tom Curtis

 

KPMG in the UK

020 7694 5090

 

Email Tom