The recent incident of the SIM Swap Scam which victimized Ian Caballero has exposed the long-known weakness of 2-factor authentication which uses an owner’s mobile number to verify online banking transactions and site logins.
The premise of a two-factor authentication theoretically strengthens the security of online accounts. This has been used by GMail for the longest time (introduced by Google in 2011) and then implemented later on by several other sites like Facebook and Paypal.
Even online banking sites like BDO have introduced SMS verification as well (One-Time Password).
Two-factor authentication requires two separate credentials — the standard password that a user memorizes and a second password or PIN which is sent to the user’s mobile phone within minutes of logging in.
This makes it harder for the scammer or hacker to intrude into emails or online banking accounts as the system requires to passwords. The premise here is that the 2nd factor, which is the SMS, is impossible to sniff out because it is understood to be within the possession of the owner.
With the second security option, it now becomes impossible for a hacker from China or Russia to hack into your GMail account because they will have to gain access to your mobile phone too.
The SIM Card Scam has demonstrated the very weakness of the 2nd physical factor — the SIM card.
Once a scammer or thief gains physical access of your mobile phone or SIM card, the modus becomes much easier. By having access to the SIM that is pre-registered to email accounts and banking accounts, it is then easy to retrieve the user name and reset the password — all of which are sent thru the validated mobile number.
In essence, the SIM card become a master key to your vault.
This reduces the strength of two-factor authentication as to how easy or hard it is to acquire the user’s SIM card.
1. SIM Cloning. Though this is harder now to clone SIM cards than many years back, it is still possible to clone them.
2. Theft, Robbery or Accidental Loss. There are dozens of phones lost or being stolen in Metro Manila every day.
3. SIM Swap Scam. Identity theft used to apply for a SIM card replacement.
The more chilling effect is that the next time you get robbed of your cellphone while commuting, the robbers are no longer limited to getting the money off of your wallet, then can also use your phone to transfer money out of your bank accounts. May be far off but who would have thought that the SIM card scam would go as far as transferring money from the victim’s BDO to the perpetrator’s Security Bank account.
The contention of the victim is that the telecoms company (in this case, Globe) was not thorough in making verifications when people apply for new postpaid lines or SIM replacements. It’s a loophole, that we can admit, but telcos operate within the realm of their own domain. They operate under the premise of minimum acceptable requirement that balances convenience and security. This is more or less the same protocol with many other institutions like credit card companies. But that’s another lengthy discussion altogether.
YugaTech.com is the largest and longest-running technology site in the Philippines. Originally established in October 2002, the site was transformed into a full-fledged technology platform in 2005.
How to transfer, withdraw money from PayPal to GCash
Prices of Starlink satellite in the Philippines
Install Google GBox to Huawei smartphones
Pag-IBIG MP2 online application
How to check PhilHealth contributions online
How to find your SIM card serial number
Globe, PLDT, Converge, Sky: Unli fiber internet plans compared
10 biggest games in the Google Play Store
LTO periodic medical exam for 10-year licenses
Netflix codes to unlock hidden TV shows, movies
Apple, Asus, Cherry Mobile, Huawei, LG, Nokia, Oppo, Samsung, Sony, Vivo, Xiaomi, Lenovo, Infinix Mobile, Pocophone, Honor, iPhone, OnePlus, Tecno, Realme, HTC, Gionee, Kata, IQ00, Redmi, Razer, CloudFone, Motorola, Panasonic, TCL, Wiko
Best Android smartphones between PHP 20,000 - 25,000
Smartphones under PHP 10,000 in the Philippines
Smartphones under PHP 12K Philippines
Best smartphones for kids under PHP 7,000
Smartphones under PHP 15,000 in the Philippines
Best Android smartphones between PHP 15,000 - 20,000
Smartphones under PHP 20,000 in the Philippines
Most affordable 5G phones in the Philippines under PHP 20K
5G smartphones in the Philippines under PHP 16K
Smartphone pricelist Philippines 2024
Smartphone pricelist Philippines 2023
Smartphone pricelist Philippines 2022
Smartphone pricelist Philippines 2021
Smartphone pricelist Philippines 2020
Mr A says:
A dilemma indeed. They can’t simply force subscribers to come personally to the store to have their sims replaced (executives and very busy people would not like it). Training people to detect fake signatures is costly, either.
I was thinking of putting a security phrase or security answer. Beside the representative asking for the account details (which can be easily obtained if ones Facebook profile information is open), they will ask for a secret answer. Amazon asks this when I requested by Multi-factor canceled. He asked me for my pet dog. I gave him an answer that only I can give, since I didn’t use my actual dogs name. It’s just a made up name that I never shared to anyone.
But that would require the subscriber to be the one replacing the SIM card, which didn’t really make the whole situation safer if you give it to someone.
Maybe next time, they should ask for an email, an email that is not tied to the phone. If there is a request for a SIM replacement or something drastic, the subscriber has to click the email that is sent to that before the replacement sim gets activated.
Or a one-time token, like a card that you will give to the person that will replace your sim for you. The customer service at the store will verify it, then take it. The subscriber will have to either request another token, either via mail or physically go to the store to get another one.
Just some suggestion.
Concern Citizen says:
There’s no safe place specially in mobile network. computer admin or even customer representative of smart, globe and sun have the capability to hack our private data even our txt messages. Changes in security architecture should be implement
H says:
Don’t activate the “Transfer to anyone” mode when banking online. And don’t put your cel no. on your FB account.
BinaryFly says:
Shouldn’t use SMS based 2-factor authentication when on prepaid. Use 2-factor apps like Authy instead. 2factor using the phone number is a headache specially when you lose or change numbers.
Jobitale says:
Kapag nakuha ba ang sim card mo madali nang mapasok ang email mo? Di ba sa apps (email client or online banking apps) sa phone mismo yun?
Unless nakasave sa contacts sa sim card yung username sa online banking at email at password. Hehehe
O kaya nung nawala yung phone ay kasama yung daliri na pang unlock sa sensor. Lol
Ano kayang point ng article na ito, nagbibigay ng warning? O nananakot ng walang basehan, dinaan lang sa haba ng article at medyo napapanahon na isyu?
Parang pointless lang. Peace sir abe. :)
Xtra says:
What I think happened.
1. First, Mr. Caballero’s outlook was hacked which contains his personal accounts (probably his passwords too).
2. The hacker found out that the login credentials found on outlook was working but is asking for a code (2nd authentication) which is sent to a mobile number.
3. The hacker probably know Mr. Caballero (might be personally known to him) and his phone number.
4. Since the hacker knows him, it will be easier for him to pretend that he was ask to request for SIM swap.
5. The Telco (might have) failed to do a proper validation to the request. Approved, then BOOM.
Please note that we will only get to the second authentication after a successful login. If you keep your password to yourself, this could easily be prevented.
Etgf says:
If you read the fb post of mr. Caballero, the hacker is also an employee globe.
Joseph says:
If the email was hacked, which was the main source of the indentity theft, then it was his lapse. Seems like with the email hacking they knew all the details about him already even his banking info prior to the ‘sim scam’. And believe me, it’s not that easy to get sim replacement inGlobe. In fact, hassle nga dami hinihingi.
Kunsel says:
Pwedeng inside job din? Nabasa ko post niya sa fb.
Disable transfer to anyone na lang. Or kung hindi maiiwasan, yung transfer to anyone naka limit sa same bank. Hindi yung tatawid pa sa ibang bangko.
Carl says:
Globe and other telcos should be more vigilant about this. Imposing a more strict rule and implementation for their employees and for those asking for sim replacement.
yadzkie08 says:
Hindi ko magets yung part na nag ask sya ng SIM replacement. So after the successful replacement, what did the culprit do? Please shed some light here. Kinda lost here. Di ako techy kasi. Hihihi.
Nagmamagaling says:
I think this website needs a better editor. This article lacks important information. Who is this Ian Caballero? What happened to him? When writing an editorial, you don’t just jump directly to your opinion. You need to provide the vital information first, much like a heads up as to not leave your audience guessing what the article is for.
Yuki says:
Oh, actually Two-Factor Authentication has been around for a long time. YubiKey was one. HSBC Philippines already have it since 2003 if I remember correctly. Some other online services before Google already had it implemented (and mostly banks).
Google just happen to be the one that brought huge attention to it when they implemented it, and since then, it became the “in” thing.
But, as we say in security, your auths are only as good if you put high value in your security. Otherwise, it’s all nothing, 2FA/TFA or not.
There are others out there… if only these companies will listen.
kamote says:
SIM Swap Scam exposes weakness of TELCO SIM SWAP PROCESSING/PROCEDURES.
Rain says:
I’ve seen the news reports from ABS-CBN and DZMM about this.
My question is that WHY IS GLOBE NOT WILLING TO SHOW TO THE PUBLIC THE ACTUAL CCTV FOOTAGE OF THE PERPETRATOR WHICH VISITED THE GLOBE STORE IN NORTH EDSA??? That alone is an IDENTITY THEFT, which is a CRIME. At least by showing the CCTV footage which shows the face of the suspect to the public (like TV Patrol’s CCTV Patrol), the public can assist in finding the whereabouts of this suspect.