Guarding Against Identity Theft: A Deep Dive into PII Theft and SIM Swapping
On December 29, 2023, The US Sun published an article, “HACKED IN ‘My hand was shaking,’ Citibank customer says as $65,000 wiped from accounts after his cell phone SIM card was swapped.” The author described the experience of a Kai Chin, a Citibank customer whose Personal Identifiable Information (PII) was obtained from the dark web by fraudsters. Kai Chin’s bank account was depleted of US $65,000 after fraudsters swapped his cell phone SIM and stole the contents of his account via wire transfer.
According to reports, Citibank has “taken steps to recall the funds that were taken by fraudsters using a customer’s personal and account information.” They further stated that the bank’s challenge was that the transfer was technically authorized.
Given the foregoing, I thought it would be appropriate to provide a local review of: the possible exploitation of SIM swap typologies in Trinidad and Tobago to defraud individuals whose Personal Identifiable Information (PII) was compromised in ransomware attacks. In the event of such a fraud, I will identify the existing frameworks and laws that both protect you, the victims, while ensuring your losses are reimbursed. In addition, I will share insights on proactive fraud risk mitigation strategies for both individuals and corporate trinidad, including businesses that have been hacked.
SIM swapping
SIM swapping, also known as SIM splitting, simjacking, or SIM hijacking, is a type of fraud typology used by fraudsters to get control of your phone number. Armed with your Personal Identifiable Information acquired from ransomware attacks, the fraudster impersonates you at telecoms dealerships and requests that your phone number is placed on another SIM.
Fraudsters can use your phone number to take advantage of two-factor authentication to obtain access to your bank accounts, social media accounts and more. This means that they will be the recipients of codes and notifications from your bank regarding transactions on your bank account.
I am sure you are curious to learn if you are vulnerable to SIM swapping here in Trinidad and Tobago.
If your information was obtained during one of the many ransomware attacks here in Trinidad and Tobago, you are at risk of becoming a victim of SIM swapping. Let’s take a closer look at how this could happen and, as a result, what steps can be taken to proactively manage this security risk and minimize losses.
Unfortunately for us, SIM swapping is not difficult in Trinidad and Tobago. Earlier this week, I went to a Digicel and a Bmobile store to verify their procedures for transferring a phone number to a new SIM. Both dealerships’ representatives stated that if an existing customer who previously purchased a SIM in his name reports losing possession of his cell phone, the dealership can transfer the existing phone number to a newly purchased SIM.
The person seeking the transfer must produce a picture ID for the transfer to be executed. The process of transferring phone numbers takes approximately 5 minutes.
Both stores confirmed that they do not save copies of clients’ picture IDs when they acquire a phone or SIM. This makes it easy for the fraudster to impersonate you. He will be able to use a fraudulent ID to have your phone number transferred to his new SIM.
This ID will display your Personal Identifiable Information and his photo. At the stores, I was told that the previous SIM becomes void soon after the SIM is swapped, and all calls and texts would be routed to the phone controlled by the fraudster.
Recommendations
Given the ease with which your information can be obtained via Ransomware attacks and the ease of SIM swapping, it is critical that you understand your level of vulnerability to account takeover. It is also critical to identify ways to close these gaps. I would like to propose the following recommendations to you, telecommunications providers, and the Bankers Association of Trinidad and Tobago, among others.
- Telecommunication providers should conduct Fraud Risk Assessments to detect control weaknesses in respect to current Fraud Typologies. The findings would help them to proactively close current gaps and minimize your exposure. An immediate gap to be closed is the modification of their customer onboarding procedures governing SIM card purchases. Cell phone stores should be permitted to keep electronic photo IDs of their customers for future transactions. They would be able to detect fraudsters who attempted to use your PII.
- TT Fraud Squad, Bankers Association of Trinidad and Tobago ATT, credit unions, and other non-banking companies providing financial services should consider establishing a joint avenue for early notification of suspected fraud by the populace. Generally, when fraud is perpetrated on your account, you are expected to notify your bank. However, given the current Fraud Typologies in which your information is being used to open accounts at various banks, it is now necessary to notify all financial institutions of the potential breach.
- Corporate Trinidad and Tobago including state enterprises targeted by ransomware attacks, can aid you by monitoring online activities and reporting to you all transactions involving your PII. Companies like LoanCare are currently implementing this approach. LoanCare disclosed that 1.3 million of its customers’ PII was exposed as a result of an assault on their parent firm, Fidelity National Financial. At the end of December 2023, LoanCare began notifying its 1.3 million customers of the data breach and has since offered all customers 24 months of free identity monitoring services via Kroll Identity Monitoring Services. This would result in the prompt identification and containment of fraud against you.
TransUnion Trinidad and Tobago furnishes local banks with credit reports on loan and credit card applicants before the approval of their loan or credit card applications. As a result, it stands to reason that Transunion is well-positioned to aid in the early detection of specific frauds against you. With this awareness, the Banker’s Association (BATT) could explore the option of having TransUnion play an expanded role in verifying new loan applications with existing customers.
There is a cost involved. It is important to note that although I discuss your bank’s obligation to protect you, the customer, it is important to understand that your bank’s obligation to you is centered on them using reasonable skills and care in processing your transactions, reasonably identifying suspicious or unusual transactions, and making reasonable inquiries.
If the bank is able to meet these requirements, your bank may opt not to reimburse you if your PII was stolen in a ransomware attack, your SIM was switched, and fraud was committed on your account through online banking.
Banks, on the other hand, may consider the above recommendation because they may incur considerable losses if fraudsters exploit your PII to commit certain crimes, such as obtaining fraudulent loans using your name and information. If someone steals your identity and obtains a loan in your name from a bank, the loan will go into arrears within a few months, if not immediately. This loss will be borne by the bank, affecting its bottom line.
- Protecting yourself. It is also important that you consider monitoring your data. Transunion’s US operations offer both Fraud Monitoring and Identity Theft Monitoring as a service. TransUnion offers a service that “watches your credit reports and alerts you whenever there are critical changes to any of your accounts, such as new accounts being opened in your name, a credit card balance increase, or negative information like a late payment reported by one of your creditors.” Their Identity Theft Monitoring includes observing Criminal Activity Monitoring, Address Change Alerts, Name Change Alerts and most importantly, Dark Web Monitoring: monitoring potential criminals selling and trading of personal information on the Internet in order to detect and alert you if your identity is found to be exposed or compromised. It is recommended that weigh your risks/exposures and determine if you require similar services. If yes, identify service providers to begin your monitoring.
If you become a victim of Fraud as a result of your SIM Swap and your PII being acquired during a ransomware attack, would you be reimbursed for your losses?
Local legislation
I started this article by sharing the above case in which Kai Chin was defrauded, and Citibank may not reimburse his damages based on the fraud typology. I therefore spent an extensive period of time reading Trinidad and Tobago’s Computer Misuse Act, Larceny Act, Electronic Transfer of Crime Act; Electronic Transaction Act, Proceeds of Crime Act and other statutes in search of clauses that clearly state that you would be reimbursed your losses if you were a victim of Online/Internet Fraud.
My research reveals that there are no local laws requiring a bank to reimburse your losses if your account was compromised following a ransomware attack, unauthorised Sim swap and unauthorised wire transfer. Although I am not a legal expert, I must say that if the bank performs the necessary due diligence during the transaction, reimbursement will be at the bank’s discretion.
There is however one exception: the Electronic Transfer of Funds Act provides a level of protection if the fraudster withdraws the stolen monies using your credit or debit card without your authorization, using deception, and without you benefiting from the transaction, your bank is required to reimburse your losses, as stated in Electronic Transfer of monies Act sections 19: “19. (1) A cardholder shall not unless he acts in collusion with another person, be liable to the issuer for any loss arising from use of the card by any person not acting, or to be treated as acting, as the cardholder’s agent.”
In conclusion, the ransomware threat landscape and its aftermath in fueling fraudulent activities necessitates our continued attention and proactive measures. As we navigate the digital world, we must fortify our defenses, stay current on evolving Fraud Typologies, and build collective resilience against these cyber threats. By remaining watchful and aware, we may better protect ourselves, our organizations, and our communities against the far-reaching consequences of ransomware and associated fraud.
About the author
Fiona Perkins, the founder and CEO, Advanced Security Risk Management Ltd. has enjoyed a 21-year career in the Security field, where she led numerous security engagements, successfully balancing the organization’s security needs with its business mission and operational culture.
Prior to becoming the CEO of Advanced SRM, Fiona served in supervisory and managerial roles of increasing responsibility at the following organizations: Department of Correctional Services, Jamaica; Innovative Security and Technologies Limited; and Amalgamated Security Services Limited. During this time, she led large teams and provided services for a wide range of sectors, including corporate and financial, judiciary, oil and gas, healthcare and distribution.
Fiona’s tenure was Assistant Manager of Security at First Citizens Bank Limited for 14 years, after which she operated in the capacity of Manager Investigations and Senior Manager (Ag.) Corporate Security. The scope of her responsibilities included Investigations and Intelligence, Physical Security, Personnel Security, Electronic Security, Fraud Management, Emergency Response, Security Awareness and Training. She was also actively involved in Business Continuity. Fiona has earned formal education in Forensic Accounting and Fraud Detection, Physical Security, Cyber Security, Research, Security Risk Assessments and Conflict De-escalation.
BlueWaters breach and data dump announced...
December 9, 2023
The flagellation of TSTT
November 20, 2023
What the blockchain tells us about...
November 17, 2023
Kent Western appointed TSTT CEO (ag),...
November 14, 2023
PriceSmart issues statement on data breach
November 14, 2023
Taran Rampersad: Are websites increasing cybersecurity...
November 13, 2023
TSTT’s dark night of the soul
November 13, 2023
Courts responds to notice of data...
November 12, 2023
ShopCourts, Pricesmart online data breached
November 12, 2023
TSTT CEO issues statement on company...
November 12, 2023
[…] Trinidad and Tobago – On December 29, 2023, The US Sun published an article, “HACKED IN ‘My hand was shaking,’ Citibank customer says as $65,000 wiped from accounts after his cell phone SIM card was swapped.” The author described the experience of a Kai Chin, a Citibank customer whose Personal Identifiable Information (PII) was obtained from the dark web by fraudsters. Kai Chin’s bank account was depleted of US $65,000 after fraudsters swapped his cell phone SIM and stole the contents of his account via wire transfer… more […]