Tonight the 31st October 2018, yep Halloween night, at 8pm I’ll be introducing BBC viewers to King-Con – my alter ego, if I had one. In tonight’s episode of Watchdog (8pm, BBC 1), I go up against the phone stores and the two-factor authentication system used by some high street banks!
I first heard the term ‘sim swap’ in South Africa a few years ago and wondered what it meant. So, I asked the guy who had just been talking about it, and he replied: It is where a fraudster swaps a victim’s phone sim to gain access to someone’s bank account! Of course, at that point I knew exactly what he was talking about. In the criminal world these this are known as ‘code tens’.
‘Code tens’ are basically all of your information (data) that criminal networks get hold of and exploit. Criminals pick up data on all of us. I know this because it’s something that I used to do myself. I would do things like, use insiders at banks and other companies who were willing to sell your data to me. I’d make use of the bad disposal methods these companies would adopt to get rid of your valuable data, and exploit that. And of course, I could always use hacks – the kind we hear about everyday.
I’ve been saying for a while now that, the media have socially engineered the world to believe a hack is something that just takes place digitally. In real life, 75% of all hacks contain a human element. A faulty or corrupt link in the chain of people who handle this precious data everyday in their jobs.
The scary thing is, it’s not getting any better. We live in very testing times indeed, making huge technological jumps all the time and new technologies are constantly being invented. But with this comes unknown landscapes and this is what creates opportunities for criminals.
The rise of the smart phone over the last five years has been astonishing. We all want that latest bit of kit. These constant updates to our technology create the opportunity for criminals to steal and harvest information (data) at a rate not possible before. The faster we want it, the faster the criminals can nick it.
But what do they do with it? Everyone always assumes that all this stolen data for sale is only available on the dark web, but for me that wasn’t the case. As a criminal, I would often use information from the surface web. There are many hidden sites on the top too. But social media is hugely important to criminals exchanging data.
We all put stuff on social media without really thinking. Many times, I’ve seen friends post to social media about how their kid has just passed their driving test. That’s a whole load of info right there, just on one page. And that’s before I get to all the people who put their phone numbers on their online profile. Oh and, of course we all love a happy birthday message on that special day. Thanks, that’s the date of birth sorted.
The fact is: we’ve all got used to giving out our information. This is what allows the criminals to thrive.
Tech could answer the problem it’s created
No one ever thinks that these sort of problems will come when they are creating the future, that would be mad right? This is something I have seen so many times, in my eight short years working in loss prevention. There is technology available to counter these problems, however companies are reluctant to pay for it.
Its pretty obvious to me, as someone who has committed fraud, that the front line is where it all happens. Where criminals turn ideas into gold. The problem is that since most companies pay such low wages to the front-line staff that the staff turn-over rate is high. Companies therefore consider the in-depth training needed to prevent so many of these frauds unviable.
How is it even possible that I can just walk into a high street mobile provider and without any ID, gain access to that person’s bank account, and steal all that person’s money, just because the whole thing relies on two totally different industries that because of data protection can not share information on their same customer.
2016 was the year of the hack with over 3 billion records lost or stolen due to some sort of hack. That’s nearly half the people on the planet that can potentially become victims to fraud and it’s only just starting!
Who pays for the fraud?
It’s happened so much over the last five years the banks have had enough. They now say if you are the victim of a bank account scam (tricked out of your life savings) you should be liable for the losses, not the bank. Well I suppose if you took money out of the cash point then lost it, that would be your fault not theirs!
But the big difference with these types of scams is that the fraudster is using some of your information to gain your trust. At at some point, the victim’s information has been lost to the criminals due to some sort of hack, gross neglect of data, or an insider gone rogue. This is where I think there is a grey area and why I think the banks’ new policy is unfair on the millions of global victims!
I fully understand that if the victim has been negligent then it’s their fault, but this is surely a grey area? How did the scam start on the victim, how much info did the fraudster know about the victim? Where or who has the victim given there information too?
In the latest series of Watchdog, due to be aired on the 31st of October (Halloween), I show how easy it is to go into a phone shop without any ID and just swap over the victim’s number.
This simple act is what allows a fraudster to get the important one-time passcode that is needed to transfer funds from an account. What has this got to do with banking? Let me explain.
Well for a few years now I have been telling banks that 2 factor authentications can be got around. I’m still not sure whose is to blame for this whether it’s the bank or the mobile phone store, but the fraudster doesn’t care about such minor details: they just want to steal the victims money!
I’ve said it before: the one thing that criminals do is seize upon the opportunity presented to them. Let’s take GDPR that came into effect on May 25th, 2018. The UK updated its policy’s on data and most importantly on how those companies keep and share all our information.
Basically, if a company holds information on you like your date of birth, your address and your phone number, then they are holding vital information on you and for that they have a responsibility. Companies must by law keep whatever data they have on us safe or at least prove that they have done everything they can to be as secure as they can be.
The scary part is that nearly every office I go into, in any country in the world, has some problem or another with its security and data protection policies. I think that most companies around the world only ever do as little as they can get away with. Up-scaled, diluted training is simply a faster way for the companies to keep a hold on the money.
In the end it is the same old story. The greedy always get stung because they just miss those little bits. That little bit makes all the difference. And for those of you that are in the corporate world: how many companies are still not ICO registered or even know how to respect the data and keep it safe?
So many companies out there claim to be the best GDPR consultants on the planet. But how many of them know how to keep your data safe?
Yes, there are some good ones out there but there are so many that have jumped on the GDPR wagon and don’t even understand it.
I can remember a time when companies thought a breach was just a theory. Don’t think that now, do they? As yet, no big brand has gone pop because of data loss, but one thing is for sure it will happen.
On the 31st October 2018 (Halloween) @ 8PM on BBC1 I will show you how easy it is to ‘sim swap’.
Tony Sales is an ex-fraudster and world-leading fraud prevention expert.