web analytics

SIM Swap Scam exposes weakness of 2-factor authentication

The recent incident of the SIM Swap Scam which victimized Ian Caballero has exposed the long-known weakness of 2-factor authentication which uses an owner’s mobile number to verify online banking transactions and site logins.

The premise of a two-factor authentication theoretically strengthens the security of online accounts. This has been used by GMail for the longest time (introduced by Google in 2011) and then implemented later on by several other sites like Facebook and Paypal.

Even online banking sites like BDO have introduced SMS verification as well (One-Time Password).

Two-factor authentication requires two separate credentials — the standard password that a user memorizes and a second password or PIN which is sent to the user’s mobile phone within minutes of logging in.

This makes it harder for the scammer or hacker to intrude into emails or online banking accounts as the system requires to passwords. The premise here is that the 2nd factor, which is the SMS, is impossible to sniff out because it is understood to be within the possession of the owner.

With the second security option, it now becomes impossible for a hacker from China or Russia to hack into your GMail account because they will have to gain access to your mobile phone too.

The SIM Card Scam has demonstrated the very weakness of the 2nd physical factor — the SIM card.

Once a scammer or thief gains physical access of your mobile phone or SIM card, the modus becomes much easier. By having access to the SIM that is pre-registered to email accounts and banking accounts, it is then easy to retrieve the user name and reset the password — all of which are sent thru the validated mobile number.

In essence, the SIM card become a master key to your vault.

This reduces the strength of two-factor authentication as to how easy or hard it is to acquire the user’s SIM card.

1. SIM Cloning. Though this is harder now to clone SIM cards than many years back, it is still possible to clone them.

2. Theft, Robbery or Accidental Loss. There are dozens of phones lost or being stolen in Metro Manila every day.

3. SIM Swap Scam. Identity theft used to apply for a SIM card replacement.

The more chilling effect is that the next time you get robbed of your cellphone while commuting, the robbers are no longer limited to getting the money off of your wallet, then can also use your phone to transfer money out of your bank accounts. May be far off but who would have thought that the SIM card scam would go as far as transferring money from the victim’s BDO to the perpetrator’s Security Bank account.

The contention of the victim is that the telecoms company (in this case, Globe) was not thorough in making verifications when people apply for new postpaid lines or SIM replacements. It’s a loophole, that we can admit, but telcos operate within the realm of their own domain. They operate under the premise of minimum acceptable requirement that balances convenience and security. This is more or less the same protocol with many other institutions like credit card companies. But that’s another lengthy discussion altogether.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,033 other subscribers
Avatar for Abe Olandres

Abe is the founder and Editor-in-Chief of YugaTech with over 20 years of experience in the technology industry. He is one of the pioneers of blogging in the country and considered by many as the Father of Tech Blogging in the Philippines. He is also a technology consultant, a tech columnist with several national publications, resource speaker and mentor/advisor to several start-up companies.

21 Responses

  1. Avatar for Rain Rain says:

    I’ve seen the news reports from ABS-CBN and DZMM about this.

    My question is that WHY IS GLOBE NOT WILLING TO SHOW TO THE PUBLIC THE ACTUAL CCTV FOOTAGE OF THE PERPETRATOR WHICH VISITED THE GLOBE STORE IN NORTH EDSA??? That alone is an IDENTITY THEFT, which is a CRIME. At least by showing the CCTV footage which shows the face of the suspect to the public (like TV Patrol’s CCTV Patrol), the public can assist in finding the whereabouts of this suspect.

  2. Avatar for kamote kamote says:

    SIM Swap Scam exposes weakness of TELCO SIM SWAP PROCESSING/PROCEDURES.

  3. Avatar for Yuki Yuki says:

    Oh, actually Two-Factor Authentication has been around for a long time. YubiKey was one. HSBC Philippines already have it since 2003 if I remember correctly. Some other online services before Google already had it implemented (and mostly banks).

    Google just happen to be the one that brought huge attention to it when they implemented it, and since then, it became the “in” thing.

    But, as we say in security, your auths are only as good if you put high value in your security. Otherwise, it’s all nothing, 2FA/TFA or not.

    There are others out there… if only these companies will listen.

  4. Avatar for Nagmamagaling Nagmamagaling says:

    I think this website needs a better editor. This article lacks important information. Who is this Ian Caballero? What happened to him? When writing an editorial, you don’t just jump directly to your opinion. You need to provide the vital information first, much like a heads up as to not leave your audience guessing what the article is for.

  5. Avatar for yadzkie08 yadzkie08 says:

    Hindi ko magets yung part na nag ask sya ng SIM replacement. So after the successful replacement, what did the culprit do? Please shed some light here. Kinda lost here. Di ako techy kasi. Hihihi.

  6. Avatar for Carl Carl says:

    Globe and other telcos should be more vigilant about this. Imposing a more strict rule and implementation for their employees and for those asking for sim replacement.

  7. Avatar for Kunsel Kunsel says:

    Pwedeng inside job din? Nabasa ko post niya sa fb.
    Disable transfer to anyone na lang. Or kung hindi maiiwasan, yung transfer to anyone naka limit sa same bank. Hindi yung tatawid pa sa ibang bangko.

  8. Avatar for Joseph Joseph says:

    If the email was hacked, which was the main source of the indentity theft, then it was his lapse. Seems like with the email hacking they knew all the details about him already even his banking info prior to the ‘sim scam’. And believe me, it’s not that easy to get sim replacement inGlobe. In fact, hassle nga dami hinihingi.

  9. Avatar for Etgf Etgf says:

    If you read the fb post of mr. Caballero, the hacker is also an employee globe.

  10. Avatar for Xtra Xtra says:

    What I think happened.

    1. First, Mr. Caballero’s outlook was hacked which contains his personal accounts (probably his passwords too).
    2. The hacker found out that the login credentials found on outlook was working but is asking for a code (2nd authentication) which is sent to a mobile number.
    3. The hacker probably know Mr. Caballero (might be personally known to him) and his phone number.
    4. Since the hacker knows him, it will be easier for him to pretend that he was ask to request for SIM swap.
    5. The Telco (might have) failed to do a proper validation to the request. Approved, then BOOM.

    Please note that we will only get to the second authentication after a successful login. If you keep your password to yourself, this could easily be prevented.

    • Avatar for Abe Olandres Abe Olandres says:

      I believe the culprit went to get a replacement SIM and posed as a proxy or representative. He brought with him an authorization letter, a photocopies of Ian’s IDs.

  11. Avatar for Jobitale Jobitale says:

    Kapag nakuha ba ang sim card mo madali nang mapasok ang email mo? Di ba sa apps (email client or online banking apps) sa phone mismo yun?

    Unless nakasave sa contacts sa sim card yung username sa online banking at email at password. Hehehe

    O kaya nung nawala yung phone ay kasama yung daliri na pang unlock sa sensor. Lol

    Ano kayang point ng article na ito, nagbibigay ng warning? O nananakot ng walang basehan, dinaan lang sa haba ng article at medyo napapanahon na isyu?

    Parang pointless lang. Peace sir abe. :)

    • Avatar for Abe Olandres Abe Olandres says:

      Hi Jobi! This was demonstrated by TJ Manotoc last night during his guesting in SRO/DZMM. Once he got a SIM, he was able to request for the Gmail username and had it sent to the mobile phone. After getting the username, we also reset the password which uses the mobile number to verify.

      Once he got into the GMail, we browsed thru the email logs for banking transactions. Using the same mobile number, he went to the BDO website to request for the username and password that uses the phone number for verification.

    • Avatar for abe abe says:

      Nakalusot sa verification yung mokong at nakakuha ng bagong sim card. It’s all downhill from there.

    • Avatar for Con cit Con cit says:

      Its not pointless. Di mu lang talaga naintindihan. Its not simply getting a cell number and then transfer a money from one bank account to another. Sabi nga ni abe yung cell number ang master key. So yung gagawin ng scammer aalamin muna lahat ng bank details mu then if they pin point that you have mobile banking, thats the time they will need your number. Kasi sa bangko like bdo. Before you can transact thru phone banking kelangan mu iconfirm sa cellphone mu. Pati email add din. You can reset your pasword thru your cell phone.

  12. Avatar for BinaryFly BinaryFly says:

    Shouldn’t use SMS based 2-factor authentication when on prepaid. Use 2-factor apps like Authy instead. 2factor using the phone number is a headache specially when you lose or change numbers.

  13. Avatar for H H says:

    Don’t activate the “Transfer to anyone” mode when banking online. And don’t put your cel no. on your FB account.

  14. Avatar for Concern Citizen Concern Citizen says:

    There’s no safe place specially in mobile network. computer admin or even customer representative of smart, globe and sun have the capability to hack our private data even our txt messages. Changes in security architecture should be implement

  15. Avatar for Mr A Mr A says:

    A dilemma indeed. They can’t simply force subscribers to come personally to the store to have their sims replaced (executives and very busy people would not like it). Training people to detect fake signatures is costly, either.

    I was thinking of putting a security phrase or security answer. Beside the representative asking for the account details (which can be easily obtained if ones Facebook profile information is open), they will ask for a secret answer. Amazon asks this when I requested by Multi-factor canceled. He asked me for my pet dog. I gave him an answer that only I can give, since I didn’t use my actual dogs name. It’s just a made up name that I never shared to anyone.

    But that would require the subscriber to be the one replacing the SIM card, which didn’t really make the whole situation safer if you give it to someone.

    Maybe next time, they should ask for an email, an email that is not tied to the phone. If there is a request for a SIM replacement or something drastic, the subscriber has to click the email that is sent to that before the replacement sim gets activated.

    Or a one-time token, like a card that you will give to the person that will replace your sim for you. The customer service at the store will verify it, then take it. The subscriber will have to either request another token, either via mail or physically go to the store to get another one.

    Just some suggestion.

Leave a Reply

Your email address will not be published. Required fields are marked *