Explainer: How to avoid falling victim to Sim swap fraud
There was public outrage over the dramatic rise of Sim swap fraud as more victims of the racket that has seen fraudsters stealing from bank accounts spoke out a day after a Nation exposé.
The financial scam sweeping the country focuses on shifting control of the victim’s phone account from their Sim card to one controlled by the hacker.
Subscribers want the three leading telcos — Safaricom, Airtel and Telkom — to strengthen the authentication and security measures governing the registration and replacement of mobile phone numbers.
A Twitter user identified as Itsweu-@Dmweuu said his father had been a victim of Sim swap fraud.
“He woke up one morning and realised that his Sim card had been blocked; he couldn’t access M-Pesa. He went to the telco’s shop and they told him a swap had been done.”
“In addition, the criminal had borrowed Sh30, 000 from M-Shwari. The telco [didn’t] do anything to help. Utaibiwa na bado ulipie sababu ya kuibiwa, (They steal from you then you have to pay loans you didn’t take),” he posted.
Gabriel Jawbreaker, another social media user, called on banks and mobile service providers to review their policies on Sim replacement and access to M-Pesa.
“To stop this fraud, if one replaces their Sim card for whatever reason, the card and M-Pesa account should only be reactivated after 24hrs from the time of replacement,” he posted.
A Twitter user identified as Jumah was puzzled by how one could swap a Sim card without an ID number or M-Pesa pin.
Andrew Musyoki questioned how a Sim swap would give hackers access to bank accounts, Pin or passwords and how they bypass security features. Baroness Cherie, another Twitter user, suggested a solution.
“Sim providers need to come up with an app-based 2FA [two-factor authentication] text message-based and number lock system. This Sim swap is an old fraud originally used to steal cryptocurrency. I am not surprised it has come to this,” she said.
Other readers e-mailed the Nation, narrating how they lost money from their accounts, ranging from Sh22,000 to millions following Sim swaps.
On its official website under cyber security and impersonation section, Safaricom explains that a Sim swap is whereby fraudsters replace and take over the customer’s line. It’s among crimes categorised as identity theft.
The possibilities of what can be done by fraudsters once they gain access to one’s Sim are mind-boggling. The digital criminals can successfully register an existing phone number on a new Sim card with the sole purpose of intercepting notifications, one-type passwords, online banking profile and transactions as well as changing the account security settings.
To avoid this, Safaricom recommends that one should ensure his or her Sim card has an active Simn lock, use strong passwords and keep personal information off social media.
Kenyans can also dial *100*100# and activate anti-swapping. This means one cannot swap their Sim card at an M-Pesa agent as it can only be done by presenting themselves physically at a Safaricom shop.
Sim swap has proven to be a headache for millions across the world. It was among the key issues discussed during the 16th Symposium on Usable Privacy and Security in the US in 2020.
The programme brought together an interdisciplinary group of researchers and practitioners in human-computer interaction, security, and privacy and they jointly came up with guidelines to deal with the Sim swap menace.
The Nation explains what the Sim swap is about and what to do, to keep oneself safe from such attacks.
1) What is a Sim swap?
A Sim swap happens when someone steals your personal phone number and assumes your identity. This makes it very easy for such an individual to access most of your private data, including email, social media accounts and bank accounts through mobile apps.
The fraudster will often access these details by intercepting the confirmation codes that were supposed to be texted to your device.
This way, the fraudsters can clear your bank accounts, withdraw overdrafts, take loans, and even use your e-mail to get your family and friends’ contacts.
2) Are Sim swaps common?
Whereas there is no public data given in Kenya regarding the prevalence of Sim swaps, the outrage shared by Kenyans online proved the situation is murky on the ground. A study by Princeton researchers on the ease of conducting Sim swaps proved it to be easy after they successfully completed 39 fake Sim swaps in 50 attempts, a whopping 78 per cent success rate.
3) How would you know your Sim is a target for Sim swap?
Having no cell phone service despite there being good network coverage could be an indicator of an ongoing Sim swap. Also, being locked out of your phone’s online accounts, or mobile banking applications could be an indicator that a Sim swap is underway and/or has already been conducted.
Getting phone notifications or prompts for things you have not authorised or asked for could also be caused by a Sim swap. Getting incessant calls especially from strange numbers could also be an indicator of a looming Sim swap.
The callers want you to switch off your phone and thus successfully perform the Sim swap.
Should you note any of these pointers, it is time you inform your mobile service provider and inform them that you have not requested for any changes.
It is also important to reach out to your bank and check on the transactions and sieve to sort any suspicious activities or transactions not initiated by you.
How to prevent Sim swap
1) Limit the amount of personal information you share online.
Fraudsters often monitor our digital footprint and will pick the smallest details to convince your mobile service provider that they are you. Avoid posting anywhere public your full name, address, phone number and birth date. Also, do not over share details of your personal life on social media. Other than online, one should be very careful about leaving ID numbers and mobile numbers in public spaces as these details can be lifted by fraudsters from books, often left at building’s security checkpoints, to attempt Sim swaps.
2) Use strong passwords and security questions.
Always use a password that is very difficult for anyone, including your closest acquaintances, to guess. It is recommended that the password should have 12 characters or more to protect your cell phone’s online account as well as that of other mobile apps such as mobile banking apps. If possible, use identity questions that are unique to yourself.
3) For mobile banking apps, use both face and touch identification authentication whenever possible.
Before installing a sensitive app such as a mobile banking one, ask the providers if they have a two-factor biometric system for identification and use both of the features when accessing the application. For instance, use both the fingerprint and facial identification features when using a mobile banking app.
4) Beware of phishing emails, texts and calls. Look out for impostors posing as staff from your mobile service provider or reputable financial institutions seeking private information from you. Hang up immediately and report the number to the relevant authorities.