OTP to mobile was introduced as the ultimate killer security feature for financial transactions. But digital criminals started using the OTP itself to steal money. Welcome to SIM SWAP, the security headache on the horizon.
It begins with a call from the branch manager of your bank. He is in a hurry and has a convincing story about a pending verification. He is sitting in front of a computer terminal. He has all details like your Name, Date of birth, Mobile Number, Bank Account No, etc. He also asks you to confirm the last four digits of your debit card number. And then he is asking for the CVC Number and debit card PIN.
There is a faint recollection of SMSs you have received which begins with the lines … “Bank officials do not call for PIN or password….” But the damage has already begun. And till the time luck does not intervene, you are in big trouble.
The conversation goes on with a series of questions for verification and then a confirmatory SMS from the bank. Your next trip to the ATM or branch to update your passbook shows multiple transactions/withdrawals.
What is SIM SWAP
Someone acting on your behalf approaches a mobile company office and submits documents for a SIM change. With the new SIM card activated, the old one held with you is automatically blocked. All transactions messages including OTPs are now received by the criminal. This in simple terms is called SIM SWAP.
Alternatively, if you click a link in an SMS, it installs a virus/malware on your phone. This starts sending OTP to the criminal. This way a SIM SWAP is not required.
The sum of all fears
Case 1 – Multiple withdrawals with SMS notification – Debit card has been cloned. PIN also stolen at ATM location or at POS machine at some store.
Case 2 – Multiple withdrawals without SMS notifications – Debit card plus PIN stolen. SIM SWAP also done.
Case 3 – Multiple online transactions – Debit/Credit card cloned. SIM also blocked.
Case 4 – Money transferred to other accounts online – SIM SWAP and online login credentials stolen.
Play it safe with some simple precautions
Do not click any link in an SMS. No matter how official it looks.
Do not click on any link, even those forwarded by friends and known people.
Do not attend to any calls from anyone asking for financial or personal information.
Do not permit any one to access or use your phone.
Do not share your PIN or password with anyone.
Do not lend your debit card to anyone.
Do not allow the debit card away from your sight.
Do not trust anyone, not even yourself!