SIM hijacking, security measures and bank’s liability

Threats change, but security measures to protect account holders do not. Can banks still blame users in case of frauds? by Andrea Monti – Originally published in Italian by Infosec News

One of the many recent cases reported by the press in Italy accounts for the umpteenth fraud committed against a bank account holder exploiting a SIM hijacking attack. Not even a week ago, I had to deal with a similar case, where through a social engineering attack, the scammers mislead the customer into giving them by telephone the OTP to finalise the fraudulent transaction.

In many cases, the victim manages to obtain a refund of the stolen amount, but in others the bank refuses, claiming the client’s negligence for not recognising the fraudulent nature of the criminal behaviour. In other words and rough terms: the bank does not pay for the outcomes of the stupidity or ignorance of the victim.

However, is that so?

In theory, the parties to a (banking) contract must act “in good faith”. It means, from the client’s point of view, keeping codes, pins and credentials with adequate care and taking the minimum security measures – such as antivirus, PIN confidentiality, and so on – that can prevent unauthorised access to their account. On the bank’s side, and more specifically because of the custody obligations assumed in the contract, it is imperative to adapt the security measures to the new types of attack. Therefore, if up until before the thermal lance there were sufficient safes of a specific type, the availability of a new tool to force them means that the bank is obliged to adapt by using more robust caskets or by designing its security management processes differently.

Similarly, therefore, if now criminals use other methods such as social-engineering and SIM hijacking, banks should take note of them and adapt, instead of adopting the classic approach of blaming the user. Only if the bank demonstrates that it has adopted specific security measures against that type of attack could it overturn the responsibility on the client. However, if it does not, any contractual clause, pre-filled form with “absolutory” options for the institution and “denial” of customer service is worthless.

To finalise the argument, it is necessary a final note about the shared responsibility of telephone companies and institutional bodies, at least from the technical perspective.

SIM hijacking is possible because some official resellers of mobile services accept the SIM change request without asking too many questions. In some cases, the reseller itself is also the victim of deception, in others he is complacent, and it is not always easy to establish the truth. Some apparent clues might hint at a fraud, though. For instance, an illegal SIM change request might happens not in the place where the victim resides, therefore raising the suspicion of illegal behaviour.

It would be easy to answer that the fraudster could have also altered the residence of the victim on the false identity document. Equally comfortable, however, would be to answer that at this point, the telephone operator should no longer accept the photocopy of the identity document as proof of the legitimacy of the request.

Similarly, in the case of scams based on social-engineering, it should always be possible to trace back the holders of the number used by criminals. However, this is not the case because, first of all, that of numbering range is a parallel and obscure world where it is not always possible to identify who the assignee of one or more numbers is. Secondly, the migration to VoIP systems and the way SMS work allow to falsify numbers and senders in the same way as with e-mails where (except in the case of special measures and registered electronic mail) anyone can enter as sender the address of anyone else.

Competent institutional bodies (Communications Authority, but also Personal Data Protection Authority, CONSOB, Bank of Italy and MISE) should start investigations to understand if the way telephone operators work is still adequate to the times, or if it is not necessary to adapt security processes to ever-evolving technology-based criminal attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *