Introduction
On the 10th of February police in Cataluña, Spain reported the apprehension of a criminal group that robbed bank accounts by impersonating individuals in order to duplicate their phone numbers, allowing them to bypass two-factor authentication and successfully authorize money transfers out of the accounts. Eight arrests were made and twelve bank accounts throughout Spain were frozen in connection to this operation, which is believed to have begun around March of 2021. I wanted to discuss the method with which the criminal group carried out their heists, since it highlights the futility of developing ever-improving security measures when a lapse of carelessness is enough to bypass them all.
Phishing for Personal Info
If you want to call a bank while impersonating someone then a good place to start is, ironically enough, to first call your victim while impersonating their bank. The victims in this case would receive calls, texts or emails from someone claiming to be an advisor from their bank needing some of their personal information to resolve some non-existent issue. According to the police report, the criminals managed to deceive or intimidate people into offering bank account passwords, credit card numbers and even scans of their IDs. Which leads to the second step of the plan: impersonating the victim. Not to their bank, but to their cellular provider.
SIM Swapping
With a copy of the victim’s ID in hand, one of the criminals would tweak their appearance into an approximation of the picture on the document before entering the mobile company store. With a sob story about losing their wallet and phone, they’d deceive the store employee into transferring the victim’s phone number to a fresh SIM card under their control. And with that, they were all set to steal actual money instead of identities.
Money Heist (over the phone)
Using the banking information phished earlier, the criminals could now call the bank to initiate a money transfer out of the victim’s account. When the bank asked for additional confirmation from the victim’s phone, the message was instead sent to the criminal’s device carrying the cloned SIM card. Thus the fraudulent money transfer is successfully confirmed, despite two-factor authentication.
Conclusion
This incident is sort of mundane in the sense that it doesn’t involve the use of any new technologies or inspired techniques to carry out the crime, but that’s why it highlights the limitations to true security in the real world. Every year, new measures (like multi-factor authentication) are implemented to regularly improve security systems, but despite this there will never be a shortage of ways to maliciously exploit these systems as long as there is a human component to their function. In this case, the key to the criminal group’s success was the inattentiveness of their victims, who’s freely offered personal info made it possible to bypass every electronic security measure put in place by both the phone company and the bank (in true spirit of the principle of easiest penetration).
The lesson that I choose to learn from this story is that, more than a strong password or an onion’s worth of layers of encryption, the most important aspect of online security is attention and diligence on the part of the user. If the victims in this case had, when asked for sensitive information, taken a moment to investigate the email address online or call their bank to double-check the criminal’s identity, the malicious attempt would have failed at step one. ‘Don’t give out your password over the phone’ may not be the most inspired advice, but sometimes all it takes to stay safe is to have a second look without rushing or panicking.
Sources:
https://thehackernews.com/2022/02/spanish-police-arrest-sim-swappers-who.html
https://www.policia.es/_es/comunicacion_prensa_detalle.php?ID=11102
Really nice post, Max! What you’ve made apparent is that cutting-edge technology is not the only prerequisite to carrying out a malicious agenda. All that is really needed is some confidence, and a cell phone to steal from unsuspecting, innocent individuals. I have no doubt that most people, in their naivety, are likely to believe that they will never be the victim of such crimes, but it really does not take much to be the victim of something like this, especially now. In fact, it seems techniques such as SIM swapping and phishing are only becoming more frequent, meaning, that anyone, can be the victim of such an attack. The lesson that must be learned here is to be weary, at all times, about the phone calls you answer, the people you interact with, and the information that is being asked of you. If you so much as answer a call and give out personal information, you might very well be the next victim of a crime such as the one described in this post. Always be alert!
Very true. For every bank account compromised in this incident, I imagine dozens, if not hundreds, more attempts by the criminals ended in failure and getting the phone hung up on them. Just being suspicious of any unidentified calls already makes one much safer against this kind of attack, not to mention the common sense of refusing to divulge sensitive information over the phone.
Your steps of stealing one’s identity do indeed sound like the money heist tv show. It was very interesting to read, you talk about every step very clearly and precisely. I am amazed to see that such a strategy still exists considering scams over the phone are so common now. The only reason I see why people give private information like passwords over the phone is that they are threatened. Similar to what we learnt in our recent lecture. However, it is good to see that the group was arrested and thanks for raising awareness about this.
As someone who ignores nearly any caller not in my contacts list, I was just as surprised at how lucrative this kind of scheme can be. I imagine that common-sense steps to securing one’s privacy will become more and more widespread with each new generation, but intimidation is one tool that should remain universally effective even decades from now when it comes to crime.
Thank you for sharing this topic. Today’s passwords can no longer fully protect the security of our accounts. We must also try our best to protect the security of our own information. Prevent criminals get our money through sim swapping. Don’t trust unfamiliar calls. Be careful even if he tells you he is one of your frinde. He’s probably a criminal in disguise.
Very interesting post here. It is such a detailed process for these cybercriminals and yet they find their way. This really shows the importance of multi-factor authethention, and maybe the need for other forms of authentication, that do not involve a phone number. People have to be careful with their banking information. A good rule is to be extra suspicious and careful whenever you receive a call specifically talking about your banking information or any banking inquiries. Usually you do not receive phone calls about your bank information and typically if you receive a call that is valid, then it likely won’t require you to directly give out your pin or password. Banking inquiries should be done from the consumer end by calling the bank. Sometimes, the bank will email you but it might be hard to tell if it is legitimate when someone randomly calls you! Thank you for sharing
Very interesting post. The Spain story really got me hooked. I had no idea that it could be so simple to impersonate and get through two factor authentication. This is absolutely scary considering the amount of information anyone get through our phones and other sources. From the post and this course, one thing I have surely learned is to keep strong passwords in every logins that contain our personal information. Good job on the article.
To a certain extent I have to wonder how much security measures mean without widespread education and proper compartmentalization. At least in my experience, computer security was not something taught to me until this class, and common sense can only take somebody so far. Furthermore, when vulnerabilities are interconnected, one person falling for a phone scam could jeopardize the security of many. I think these cases underscore the need for greater education, because as you pointed out, measures like two-factor authentication mean very little in the face of an inexperienced user.
Interesting post! What sticks out to me in this scam is that there was not a lot of “cutting edge” technology used. Instead there were some very confident people skills, and a little ingenuity. I definitely agree with your conclusion, when scammers are relying on people to panic for the scam, the easiest way to stop the scam is to simply double check whatever the scammers are trying to convince you of; “Don’t give out your password over the phone” is definitely advice worth heeding.
Interesting Post. The passwords can never again completely safeguard the security of our records. We should likewise make an honest effort to safeguard the security of our own data. I never thought there was a possible way to get through someone’s account through two factor authorization and that’s scary since all of us think it protects us and if it doesn’t I don’t think anybody is safe in the online world.
It is somewhat funny how easy and straightforward this method of scamming is, no new technologies were used and they were able to scam banks to gain access to their victim’s funds. Even though it is mainly the fault of victims but improvements can definitely be made to improve the security, instead of just using the phone number, more factors of authentication could be added so the banks are even less likely to be fooled.
Though no matter how much we secure a system, it will always be at threat due to people’s ignorance so one of the best ways to make a system secure is to teach the people using it how to be secure, which is not a herculean task if the system is present at the workplace as people can be taught easily but the difficulty exponentially increases if we talk about the general public.
Great post! Thanks for sharing such detailed process. We might be familiar with such phishing techniques. And we know how not to give out any information over phone. However, there are still a lot of people who are victim of such crimes. And they can be your friends, parents or relatives. Whenever, I read articles of such crimes, I have seen many comments that calling victims “dumb” or “victim blaming”. I think people should understand how such criminals are impersonating someone in authority( bank, police, justice department, CRA, etc.) in order to manipulate/threatening victims. When people are rushing or panicking, they wouldn’t be able to think carefully. As you mentioned in the post, lesson we need to learn from this story is to have a second look without rushing or panicking.
This is really informative but a scary post to me! Passwords will never be able to totally protect the security of our information again. We should also make a sincere effort to protect the security of our own information. I never imagined it was feasible to gain access to someone’s account using two-factor authorization, which is concerning since I was under this shadow it will make it difficult for anyone to access my account or my personal stuff like Emails, etc., and if it doesn’t, I cannot think of any other method to protect me in this internet world which is sooner or later moving to the multiverse thing. Good Job though!
Great post! This is honestly very clever on the part of the adversaries. I think you’re exactly right, as we continue to integrate new methods of security into our account protection we’re opening up new methods of attack. I don’t think this at all means that we should forgo the use of MFA because it can be abused, but rather that perhaps best practices for protecting your account when using MFA are made more known, rather than just giving the user a prompt that they should turn it on because it will protect their account better than before. Taking just a moment to give an explanation for how it works, and what to do if your phone is stolen could go a very long way towards protecting data. Won’t do much about people giving away their banking details over the phone though…
What an interesting post to read. I really like the way you have explained everything clearly and to the point. There were no advanced technologies used, yet people were victim to this old school cyberattack. No matter how strong your password is, or how far a company goes to protect its users from cyberattacks, we still have to look out for ourselves.
Thank you for sharing this post. Criminals use people’s lack of vigilance to cheat the victims’ personal information through the telephone, so as to further steal their bank funds. When we don’t disclose our identity information to strangers, criminals have no chance to cheat the bank through SIM exchange. For our information security, it is very important to find more ways to protect our accounts. This incident reminds us that we should carefully protect our personal identity information, do not easily answer strange calls, and try our best to prevent the threat of fraud. Raising our vigilance can help us improve our online security.
I have to commend you on your post, it is amazingly written! You make an excellent point regarding the ineffectiveness of developing more and more complicated and potent security measures with the same human weak point. I condone the actions of the robbers in this scenario, but I have to admit that their scam was very clever. The fact that they knew about the two-factor authentication systems in place to prevent them from simply getting passwords and IDs from their victims and gaining access is a testament to their ingenuity. They were able to successfully circumvent the “potent” security measure using people as their way in. I’m glad that they were caught and I agree with your tips regarding general caution and how you shouldn’t give out your password over the phone.
when a lapse of carelessness is enough to bypass them all.
Very interesting post. This reminds me that when I first came to Canada, my classmate received a fraudulent phone call, but he thought it was real and almost fell for it. We need to confirm the phone number or email address of the bank, and determine whether the bank will contact the customer through mobile phone. It is often this simple fraud that many people fall victim to.
This is a really interesting post, albeit a very cynical one. Not that you’re at all wrong, it is almost always going to be the human element that is at fault. I just wish it wasn’t so depressing. That being said, an institution like a bank tends to have higher security requirements placed on it either by statute or by their customers. Do you think in a situation like this that they are more at fault than the other parties?