Re: Mobile banking: alarm as fraudsters take over handsets and raid accounts

Andy Burns <usenet@andyburns.uk> wrote:

Jörg Lorenz wrote:
 

The article is extremely unspecific how the accounts/mobiles were taken
over. Not very helpful.

 
Snatch the unlocked phone from the user's hands.  Bonus points if they
can trick the owner into unlocking it, and then snatching it
 

It’s usually a sim swap fraud. Somehow convince the mobile operator to port
the number to another mobile operator where the new sim is in the
possession of the fraudster. If you have access to the victim’s email
account it is often possible to harvest enough information for the
fraudster to “prove” they are the victim. Eg copies of utility bills. Other
weaknesses are where the victim uses the same password for their mobile
account as for some other account, eg an online shop, where that password
has been already stolen.

It’s not really an issue with *mobile* banking. Accessing the bank account
via a regular computer would be equally vulnerable if the bank relies on
SMS one time codes. It’s the ability to intercept these codes that is the
flaw.