Nigerians count losses as SIM swap fraudsters empty bank accounts
In the mid-day, she walked into the newsroom. The young mother clad in a dark colour linen gown was overwhelmed with anguish. Sadness was written on her face as she sat perplexed. Her countenance, which was not welcoming, reflected the agony in her. Sawari Bolanle is a victim of Subscribers Identification Module (SIM) swap fraud.
She sighed, lamented and was in tears as she narrated her ordeal with the fraudsters, who illegally cleared her bank account.
According to her, she had swapped her Airtel number late last year and on February 15, her line stopped working by indicating SIM not provisioned. She inserted her SIM card into another phone but the same thing happened and, according to her, the customer care service failed to assist her, as they didn’t answer the call.
“On Monday, March 18, I went to Airtel office at Silver Bird Galleria, which was where my SIM was swapped on the December 27th. When I got to their office, I was told that the office would not be opened until 10:00 a.m. In order to while away time, I strolled down to Zenith Bank to carry out some transactions. I had plans to withdraw N100, 000 but the update I got from the Automated Teller Machine (ATM) was that I had insufficient fund. This prompted me to check my account balance; I was perplexed by what I saw. I went straight to the bank hall to lodge my complaint,” she said.
She added that the customer care official, who attended to her after going through her account details, mentioned that monies were transferred to Idowu Henry, Kubura and Omolara. The customer care officer added that N50, 000 was transferred to Idowu Henry twice and that some amounts were also transferred to other persons about four times from my account.
“I left the bank to lodge a complaint at the Airtel Office. I was not given any substantive reasons of how money was fraudulently transferred from by account.”
Bolanle is not alone in this; recently, an engineer based in Lagos, Omoniyi Johnson, was also a victim of SIM swap fraud in which his personal information was used in requesting a new SIM card by a fraudster. He said over N200, 000 was stolen from his bank account before he realised what happened.
According to him, network signal disappeared from his phone, which persisted despite rebooting his mobile device.
“Initially, I thought my phone had developed some fault, but after taking it to technician the following day, it was discovered that my SIM card was faulty. On getting to the operators’ customer care centre, I found out that someone else requested a new SIM with my number and had stolen my savings,” he explained.
A customer, Olabode Sindiq, with a Union Bank account 00106679** alleged that N49, 500 was deducted from his account on April 25 and 26, 2019 through a POS machine with code: (POS@3IPG0001)
He said the amount was withdrawn seven times simultaneously, while his branch – Union Bank Branch, Wharf Road, Apapa Lagos, was unable to identify the culprit or refund his money accordingly.
Sindiq said: “It was so unfortunate. I could not believe it. I paid the money into the bank in the morning and later at night, around 11:53 p.m. and 12:31 midnight, I received a debit alert, informing me that a total of N49, 500 had been withdrawn from my account though a POS machine. Meanwhile, my ATM card was with me while nobody had access to my secret PIN. I was dumbfounded. I reported to the branch only to be told to report back after two weeks, when they must have completed investigations into the matter. I reported back, but there has not been any concrete action on the matter.
“This is sad, in this digital era? At a press of a button you could have access to the details of transactions, but the bank appears to be taking customers for a ride.
“I am confused now because I needed the money for a project to be executed within a week and that has been delayed now. If Nigeria is to operate a cashless system, we should make it perfect; we should not subject people to sufferings over their hard-earned money. I hope the bank could facilitate the process and get my money refunded because I suspect foul play, a fraud,” Sindiq said.
What is SIM swap fraud?
A SIM swap fraud happens when someone convinces your carrier to switch your phone number over to a SIM card that a criminal possesses. In some cases, there are carrier’s employees working together with criminals.
By diverting your incoming SMS messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts in financial services, social networks, webmail services and instant messengers.
While payment methods through mobiles offer a convenience that is hard to debate, Kaspersky Lab research showed that mobile payments and the banking system are suffering a wave of attacks – mostly powered by SIM swap fraud – and people are losing their money as a result. This type of attack is used to not only steal credentials and capture one-time passwords (OTPs) sent via an SMS, but also to cause financial damage to victims, resetting the accounts on financial services, allowing the fraudsters access to currency accounts not only in banks but also in fintechs and credit unions. Fraudsters are also using it as way to steal money using WhatsApp, loading the messages in a new phone, contacting the victim’s contacts asking for money, simulating an emergency situation.
Furthermore, as the name suggests, this scam aims to transfer your phone number onto SIMs, especially new ones. The process is simple in itself, but involves several steps. Here’s what to watch out for:
According to the National Fraud Intelligence Bureau, the SIM splitter’s first step is to access your personal information. This can be achieved through bank statements, as well as increasingly through scouring social media profiles.
The hacker then obtains a blank SIM card and rings your mobile phone operator. With your personal information in hand, they pass the security checks and report your phone stolen.
At this point your SIM is blocked and the hacker activates the ‘new’ one.
While the victim is left with no service, the hacker is able to access all texts and calls, including the unique code that the bank sends to access their online system. The perpetrator has free reign over your account and can transfer your funds wherever they wish.
Not a Nigerian thing, though
During Kaspersky Lab’s yearly Cyber Security Weekend that took place in Cape Town, South Africa recently, Kaspersky Lab experts discussed the widespread growth of mobile payments across the globe and the many cyber risks that surround such technology. Especially the SIM swap fraud wave, which has become very common in Africa and the wider region. According a report of South African Banking Risk Information Centre (SABRIC), this type of fraud, more than doubled in the last year,
Senior Security Researcher of Kaspersky Lab. Fabio Assolini, said despite financial inclusion services prospering, the flip side to this is that it opens up a world of opportunities to cybercriminals and fraudsters, who are using the convenience a mobile phone offers to exploit and poke holes in a two-factor authentication processes.
Assolini said frauds using SIM swap are becoming common in Africa and Middle East, affecting countries like South Africa, Mozambique, Turkey and UAE.
According to him, the total money lost in the attacks varies by country: there are extreme cases, such as one in the United Arab Emirates, where one victim lost $ 1 million, while in South Africa one victim reported losing $ 20,000. “In average, fraudsters can steal $2,500 to $3,000 per victim, while the cost to perform the SIM swap starts with $10 to $40.”
Why the fraud is on the rise
A telecoms expert, Kehinde Aluko, blamed the rise in the menace on the economic situation in the country. Though, Aluko never justified the crime and youths involvement in criminal activities, “but it is painful that more victims are emerging daily and millions of naira are lost. But, come to think of it, when the youths are not engaged constructively, they tend to go into crime.”
Aluko urged government to invest in infrastructure rollout, especially power, “with power sufficient the armies of unemployed youths will have something meaningful doing.”
He noted that fraudsters use phishing attacks to obtain victims’ cellphone or Internet banking login details to wreck havoc on them.
Caught in the act
While efforts are being intensified in Nigeria to curb the menace, a 31-year-old man was caught in the act. He was arrested by the Special Anti-Robbery Squad for hacking. The culprit boasted that he can hack a phone even if it is locked
The man revealed that all he needed to do to hack someone’s account was to hack their SIM card.
Dare Oladimeji by name is a senior secondary certificate holder, who learned to hack into SIMs from Google. Oladimeji was arrested after security operatives tracked the suspect to Idi-Oro area of Lagos state, for an investigation that included the withdrawal of N200, 000 from a victim’s account.
Speaking to journalists, the man revealed that he began the hacking business after he came back from Dubai.
Oladimeji explained that he was a footballer and he had come back to Nigeria after he concluded his two years contract with Alain FC in Dubai. He said he had N7 million after he came back and invested N5 million in business. He said: “When I came back from Dubai in 2016, I brought N7 million, out of which I gave one Mr. Shola N5 million for a genuine business with NUPENG. Unfortunately, the man died.” “I decided to venture into this business which is a small version of yahoo yahoo because I didn’t want to go into robbery.
“At Idi-Oro, there are pickpockets, when they snatch phones from victims, they would throw the SIM cards away. What I do is to go looking for these SIM cards and continue from there.”
The secondary school certificate holder revealed that he learned to hack SIMs from Google. He said money could be withdrawn from an account with a stolen SIM card. According to him, it does not matter if someone’s phone is locked. He noted that there are different codes for hacking into SIM cards to get anyone’s account information.
“I work on SIM cards to get money. When I lay my hands on any, I would slot it into any small phone that is not android. When that is done, I would press a code which brings out the list of banks the owner of the SIM uses. For example, if the person is using GTB, I will proceed with the normal code of *37*100#. If the person has money, we would use it to buy a recharge card to confirm how much the owner has, through the debit alert that would pop in to reveal the balance. Thereafter, we would transfer the money into donor accounts, from where we would withdraw the money.
‘’Locking of phones with password does not stop me from hacking into any account, as long as I can lay my hands on the SIM card. All I need to do is to remove the SIM and slot it into a small phone. The only thing that can prevent me from hacking into account through a phone is when the SIM card itself is locked. But most people don’t lock their SIM cards, they only lock their phones. You can only beat my likes to the game if you lock your SIM card because only the owner knows the password.”
Telcos, banks trade blame
At a telecoms forum in Abuja earlier this year, operators in both the financial and telecommunications services had a heated debate over who should bear what blame as a result of frauds committed on customers’ bank accounts using technology networks.
It was difficult for the stakeholders to come to an agreement whether the victims of financial fraud should be classified as bank customers or as telecommunications operators’ customers.
Another difficulty that the stakeholders had was in establishing who ought to bear the responsibility for the building of technology infrastructure that would help to detect when a wrong subscriber that had swapped a SIM initiated a financial transaction through the networks.
Telecommunications operators alleged that banks wanted the technology solution to be given to them free while the banks contended that their services provided a flow of income to telecommunications operators.
It took the intervention of both the Central Bank of Nigeria and the Consumer Protection Council to establish that the subscribers were bank customers even when they used technology platforms to carry out transactions.
Executive Secretary, Association of Licensed Telecoms Companies of Nigeria (ALTON), Gbolahan Awonuga, said that telcos should not be blamed for the rise in SIM swap frauds.
Awonuga said that victims should blame their banks for whatever happened to the money kept in the custody of the banks.
But a senior executive with Access Bank, who doesn’t want his name in print, put the blame at the door step of the operators, stressing that the challenge is tehnology-driven.
Tackling the menace
The Executive Vice Chairman of the Nigerian Communications Commission (NCC), Prof. Umar Garba Danbatta, stressed that SIM fraud is fuelled by criminally minded individuals, who engage in illegal SIM swap. He stressed that SIM swap fraud has also come about, as mobile numbers of most subscribers have become their de facto bank accounts.
Danbatta urged the effective collaboration of other government agencies and concerned stakeholders with the NCC in order to support the telecoms regulator’s drive at curbing and possibly eliminating the scourge of pre-registered and improperly-registered SIM cards in the country.
From his perspective, the Director-General, Delta State Innovation Hub (DSHub), Dr. Chris Uwaje, SIM swap remains a fraudulent undertaking. He stated that the scam is known by other names such as SIM Splitting, SIM Hijack, and Port-Out Con.
Technically, according Uwaje, it reflects the following fundamental challenges: the porosity of the state of our digital Nation Critical Infrastructure (NCI); SIM card standardisation issues – with respect to manufacturing quality and security; deployment of unclassified, untested unclassified and unregistered foreign software; aging and near obsolete condition of equipment types, networking devices and transmission process of service providers, who are still operating on the IPv4 (Internet Protocol version 4) to deliver their services as well as faulty mobile phone devices – majority of which are second hand.
Uwaje further listed the neglected advanced skills of the youthful players in the emerging digital ecosystem, which have not been channeled to proper use; the depth of ignorance and naivety of users and above all, the enormous velocity of information (resulting into cumulative Big Data) inadequate skill and capacities to verify, authenticate identity, track, protect users and deliver safety of our digital Ecosystem.
Uwaje, a former president, Institute of Software Practitioners of Nigeria (ISPON), said the policy makers must realise that the evolution of ICT is at the dead-end of its life-span! “We cannot carry on relying on defective infrastructure. There is a fundamental need to seriously address the migration of our national ICT infrastructure to Internet Protocol Version 6 within the next 18 months. The future of work and delivering embedded tasks for sustainable development is at the door. The digital Ecosystem has emerged – with the digital ecology of connecting together all points of human activity and economy.
“This requires new skills, capacities, capabilities, policies and/or review of old ICT policy and strategies which for example was crafted outside the realm of AI, Robotics, Cloud-Competing, Big Data, Blockchain, M2M, cryptocurrency, BitCoin, virtual reality, 3D printing and so on.
Also, R&D becomes imperative and critical at this point in time – just as building a local cloud and deploying indigenous software applications – ensuring that we gradually move from proprietary software to open source computing standard models. It will also be very significant to reactivate the national Landline telephony and deploy massive broadband on optic fibre coverage to reduce SIM Hijack fraud.”
Uwaje pointed out that there is an urgent need to create national SIM fraud at least 50 local languages.
According to him, there is the need to remember that SIMs fraud goes beyond account takeover; it does not only affect the money end of users, but their entire life existence!
Uwaje said banks should be made to work out SIM Insurance Scheme with the network service providers to reduce the damage to users, general public and national security.
“Finally, this problem affects many segments of our society. The SIM crackers operate as gangs who raid and hijack SIMs from the grass roots to government personnel, security officers, businessmen and teenagers. Online banking customers are mostly the primary hit target and a gang can devour about 3000 victims per month!”