Indian two-factor authentication fraudsters busted by Delhi cops

Filed Under: Featured, Law & order

Two more alleged cybercrooks are cooling their heels in custody this weekend after they were arrested by the Economic Offences Wing (EOW) of India's Criminal Bureau of Investigation.

The modern-day bank robbers were reported in the Indian Financial Express to have run a three-part scam that allowed them to work around the two-factor authentication protection offered by the victims' banks.

The pair were named as Mohammed Mirza Ali, alias Sanjay Soni, alias Mamu, from Mumbai, and Pritam Mishra, alias Preet Mishra, from Delhi.

Their modus operandi was straightforward and, apparently, surprisingly effective:

  • Buy compromised account details from other cybercrooks. (A Nigerian syndicate, according to the cops.)
  • Pay associates to open dummy bank accounts under false identities.
  • Trick mobile phone companies into issuing "replacement" SIM cards for chosen victims.

With the Personally Identifiable Information (PII) from the bank account data they'd bought, it seems that the last step, socially engineering the mobile phone company, was a breeze.

And once they had a triplet of {victim account, victim SIM, dummy account}, the rest would have been easy, even though any online transfer out of the victim's account would have required a one-time authentication code sent to the victim's mobile phone by SMS.

The problem, of course, is that, SMS codes aren't actually sent to your phone. They're sent to the phone in which the SIM card registered to your number is installed.

So, if your SIM has been cancelled, and a new one issued to someone else, the SMS codes no longer go to you.

Even if you had a strong passcode on your own phone, or a PIN code on your SIM, all bets are off. The crooks simply put the new SIM (for which they get to choose the PIN code, if any) into a phone of their own (for which they get to chose the passcode, if any.)

You'll eventually realise something is wrong, because your mobile will effectively go dead. Your cancelled SIM becomes worthless, so your phone will fall back to emergency calls only, just as if you had no SIM in it at all.

At this stage, sadly, you can't easily tell whether you're being tricked by crooks, have run out of credit on your account, or are merely suffering a service outage. And you can't call up and investigate... because your phone's dead!

Worse still, as Dmitri, an Australian victim of this type of scam, found out a few years ago, it might not be plain sailing even when you are able to report the problem.

Dmitri got short shrift from his own provider, who assumed he was the scammer. After all, he'd only just ported his number to a new SIM, and records "showed" that he had "authorised" the switch. So why, argued the phone company, would he want to port his number to yet another SIM so soon?

Admittedly, there's a limited window of opportunity for crooks to leech your account, since the game ought to be up as soon as you report the unauthorised cancellation of your SIM.

But the crooks can wreak plenty of havoc in quick order: the Indian police claim to have got onto the Mamu/Mishra case after a victim complained that two million rupees (Rs 20 lakh, more than $35,000) had mysteriously been transferred from his account.

So the moral of the story here, if you rely on your mobile phone as a second authentication factor for any service, is to act quickly and decisively if your service unexpectedly goes dead.

, , , , , , ,

You might like

One Response to Indian two-factor authentication fraudsters busted by Delhi cops

  1. Yohan Perera · 955 days ago

    It seems bad guys (or should I say 'brilliant minds' to please those who believe in the illusion called free flow of information and access for all) are always one step ahead...

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog