Indian two-factor authentication fraudsters busted by Delhi cops

Two more alleged cybercrooks are cooling their heels in custody this weekend after they were arrested by the Economic Offences Wing (EOW) of India’s Criminal Bureau of Investigation.

The modern-day bank robbers were reported in the Indian Financial Express to have run a three-part scam that allowed them to work around the two-factor authentication protection offered by the victims’ banks.

The pair were named as Mohammed Mirza Ali, alias Sanjay Soni, alias Mamu, from Mumbai, and Pritam Mishra, alias Preet Mishra, from Delhi.

Their modus operandi was straightforward and, apparently, surprisingly effective:

  • Buy compromised account details from other cybercrooks. (A Nigerian syndicate, according to the cops.)
  • Pay associates to open dummy bank accounts under false identities.
  • Trick mobile phone companies into issuing “replacement” SIM cards for chosen victims.

With the Personally Identifiable Information (PII) from the bank account data they’d bought, it seems that the last step, socially engineering the mobile phone company, was a breeze.

And once they had a triplet of {victim account, victim SIM, dummy account}, the rest would have been easy, even though any online transfer out of the victim’s account would have required a one-time authentication code sent to the victim’s mobile phone by SMS.

The problem, of course, is that, SMS codes aren’t actually sent to your phone. They’re sent to the phone in which the SIM card registered to your number is installed.

So, if your SIM has been cancelled, and a new one issued to someone else, the SMS codes no longer go to you.

Even if you had a strong passcode on your own phone, or a PIN code on your SIM, all bets are off. The crooks simply put the new SIM (for which they get to choose the PIN code, if any) into a phone of their own (for which they get to chose the passcode, if any.)

You’ll eventually realise something is wrong, because your mobile will effectively go dead. Your cancelled SIM becomes worthless, so your phone will fall back to emergency calls only, just as if you had no SIM in it at all.

At this stage, sadly, you can’t easily tell whether you’re being tricked by crooks, have run out of credit on your account, or are merely suffering a service outage. And you can’t call up and investigate… because your phone’s dead!

Worse still, as Dmitri, an Australian victim of this type of scam, found out a few years ago, it might not be plain sailing even when you are able to report the problem.

Dmitri got short shrift from his own provider, who assumed he was the scammer. After all, he’d only just ported his number to a new SIM, and records “showed” that he had “authorised” the switch. So why, argued the phone company, would he want to port his number to yet another SIM so soon?

Admittedly, there’s a limited window of opportunity for crooks to leech your account, since the game ought to be up as soon as you report the unauthorised cancellation of your SIM.

But the crooks can wreak plenty of havoc in quick order: the Indian police claim to have got onto the Mamu/Mishra case after a victim complained that two million rupees (Rs 20 lakh, more than $35,000) had mysteriously been transferred from his account.

So the moral of the story here, if you rely on your mobile phone as a second authentication factor for any service, is to act quickly and decisively if your service unexpectedly goes dead.