Cert NZ is warning about a new cybercrime that's made its way to New Zealand: SIM card hijacking, also known as a SIM card swap attack - which allows a hacker to take control over your mobile phone number and pretend to be you.
The Crown cybersecurity agency says "lessthan 10" Kiwis have been hit by the scam.
But Cert director Rob Pope says because it gives a hacker such pervasive control over your life, the average loss has been large: some $30,000 per victim.
And as the Herald pointed out back in October last year, it's a nightmare to sort out.
In detailed comments, Spark (keep reading) said safeguards were tricky to implement under current legislation because an attempt to contact a customer to confirm they wanted to leave and take their mobile number to another provider was regarded as an anticompetitive attempt to win them back.
Cert (the initials stand for Computer Emergency Response Team). Was set up as a kind of cyber triage unit. It can direct people or small businesses to the right law enforcement or technical help in the event of an online attack, or attempted scam.
SIM hijacking is where an attacker uses "social engineer" (old fashioned con artist) skills to get your mobile phone number added to their SIM card.
The hacker can then receive all voice calls and texts meant for you.
"Once the attacker has the victim's mobile phone number on their SIM card, they try to access their accounts, such as bank accounts, using stolen or guessed credentials," Cert NZ warns.
"When prompted for a two-factor authentication code, the attacker uses the stolen number to receive two-factor authentication by SMS – working around the security control.
"There is a significant risk to the people and businesses targeted by these attacks because the attacker can perform sensitive tasks, like changing passwords or authorising financial transactions."
Anecdotal reports show that incidents of SIM swapping are increasing, "as motivated attackers find ways to circumvent additional security controls," Cert says in its latest quarterly report.
SIM swap attacks the process of porting or "number portability" which lets you take your phone number with you when you switch mobile service providers - something that was introduced in NZ and elsewhere to boost competition.
It's been around a while overseas, Cert NZ director Rob Pope says, but the fourth quarter of last year was the first time it appeared in New Zealand.
Pope says the key step people should take to protect themselves is to not use two-factor authentication (or "2FA") that involves a mobile phone. That's when you don't just have to type a password into your computer to access a website but also a code sent to your phone by txt.
People should look for an alternative confirmation, such as a code sent to an app.
Also, two-factor authentication also commonly asks for the answer to a security question you've setup, such as "What is your mother's maiden name". Pope says unfortunately that information is usually easy to find online. The solution is to setup security questions with untrue answers.
Industry group the Telecommunications Forum (TCF), whose members include Spark, Vodafone and 2degrees, oversees number porting. Its head, Geoff Thorn told the Herald:
"The TCF is very aware of the hardship the SIM swap frauds cause.
"Each of the mobile operators has changed its processes to make it harder for fraudsters to swap a number to their own device.
"The TCF exploring the possibility of making technical changes which will provide additional protection to consumers."
Thorn says the TCF backs Cert NZ's advice not to use two-factor authentication that involves a text sent to a mobile phone. "Although it is better than nothing, SMS authentication is not a secure means of obtaining the authentication," Thorn says.
Spark: Well-intended protection backfires
Spark spokeswoman Sam Smith told the Herald, "To prevent fraudulent sim swapping, Spark has implemented a process whereby customers must visit a Spark store and present identification before the swap can be approved.
"These measures have been extremely effective, however porting fraud where customers port (move) their number to another service provider is more complicated and requires a coordinated industry-wide change to the porting rules.
"Currently, the information requested when someone wishes to port is as per industry and regulatory requirements, that is: customer name, MSISDN (unique phone identification number) to be ported, and current Postpay Account number or Prepay SIM card number. This information is submitted to IPMS (the Industry number portability coordinating system managed by TCF) and is then verified and approved/declined by the LSP (losing service provider).
"As it stands, the regulated industry code for porting determines the process and it is up to the LSP, to verify and approve the port.
"This, unfortunately, makes it tricky to identify when a porting request is fraudulent, as due to the current legislation, the LSP is not permitted to contact the customer directly as it could be considered as an attempt to 'win back' the customer which is against the original anti-competitive spirit of the porting rules."
Communications Minister Kris Faafoi has been asked for comment on the possibility of a legislative update.
In the meantime, Smith said, "The industry is currently exploring whether it is feasible to introduce a validation step to the porting process so the customer has to confirm the port is valid before it will proceed."
A TCF working party is also developing a code that would see one central place for all scam reports to be filtered into. "The code involves organisations such as banks, Police, online safety organisations, as well as telcos and would therefore provide a full and accurate picture of the scamming landscape in New Zealand. Industry has a similar Code for scam calling today and we are seeking to replicate this for mobile messages, too," Smith said.
Vodafone: Increasingly sophisticated attacks
For Vodafone NZ, spokeswoman Nicky Preston said, "It's frustrating and upsetting that scammers continue to increase their efforts to defraud Kiwis, with phishing scams on the rise.
"We urge New Zealanders to be aware of potential phishing attacks and stay vigilant – as fraudsters will try to obtain a customer's personal information from many different organisations, via increasingly sophisticated methods, and by using topical situations like the current Covid-19 pandemic."
She added, "As an ongoing measure, we ask all customers to regularly change their passwords and PINs and never give out personal information unless they are certain who they are dealing with.
"SIM swapping fraud is complex but we are doing everything we can to combat fraudsters and to further protect Vodafone customers. We are working closely with other telcos and the TCF to develop additional industry-wide measures to make SIM swapping fraud more difficult, including assessing international best practices."
More online attacks
Overall, Cert's fourth-quarter 2019 report found a modest decrease in online scam activity, with total reports falling from the year-ago 1333 to 1197, and reported financial losses declined from $5.9m to $4.7m.
However, for 2019 as a whole, the agency reported a 38 per cent increase in reports of cyber attacks. A total of 689 involved financial loss, 603 of those to individuals.