'SIM-jacking' allows criminals to take
control of SIM cards to raid bank accounts - and it is on the rise in the UK
Fraudsters obtain codes from operators to switch numbers to another device. There has been more than 300 fraudulent code-gaining attempts since last April. In the preceding year, however, there had only been 99 similar cases in total. Author Jack Monroe had
GBP5,000 stolen from her bank account from SIM hacking By Jonathan Chadwick
Hijacking other people's SIM cards in an attempt to steal personal information is on the rise in the UK, according to new figures.
Reports of fraudsters obtaining codes that allow phone numbers to be switched to a new phone have totaled 300 since last April — compared with 99 in the preceding year — according to the Information Commissioner's Office (ICO).
The dodgy practice involves the criminals obtaining a code from a person's network operator that lets them switch their victim's mobile number to another phone.
Once they have obtained unfettered control of the victim's phone number they can target them further, often for financial gain.
There have been more than 300 reported
fraudulent attempts to access Porting
Authorisation Codes since last April. There have been more than 300 reported fraudulent attempts to access Porting Authorisation Codes since last April
What Is Sim-Jacking?
SIM-jacking is a fraudster stealing another person's phone number
Usually, when someone breaks their phone, they just have to contact their provider to obtain a Porting Authorisation Code (PAC)
A PAC allows mobile phone users to take their old number with you when you change service providers.
Fraudsters hijack this service by switching the victim's phone number to another phone, even one on another network.
The practice allows criminals to take control of other people's phones and access their personal information
As of July 2019, phone users can switch mobile network by sending a free text message – but on the phone number they want to switch.
Criminals with enough armed with enough knowledge of a mobile phone user's personal details can fool network operators into providing them with this all-important code, called a Porting Authorisation Code (PAC).
The culprits need to have as much information as they can to pass security clearance with the network operator and gain a PAC, including name and date of birth, often obtained by phishing emails.
Once this had been obtained, the hijacker can get control of personal information stored to a SIM card, such as identity, messages and personal security keys – and ultimately steal money.
Figures obtained from the ICO by New
Scientist show there have been more than 300 reported cases of attempts to fraudulently obtain PACs since April 2019.
The ICC had already revealed last month that there had been 399 SIM-jacking cases since the start of April 2018, suggesting most of the incidents have taken place in the last nine months.
These figures suggest the popularity of the technique to enable fraud has become increasingly popular among criminals in a short amount of time and such incidents could keep rising.
A PAC is normally 9 characters long and in the format 'ABC123456'.
Phone users can request one for free simply by sending a text on the number that they want to transfer to another device.
Some operators such as EE and Vodafone allow users to obtain a PAC from a phone number other than one connected to the number they want to switch, such as a landline.
However, a Vodafone employee confirmed to MailOnline that a customer has to relay a code that's been sent to the mobile phone connected to their account if they want to obtain a PAC.
In October, food writer Jack Monroe said she lost about GBP5,000 after her phone number was stolen back in October.
'It seems my card details and PayPal info were lifted from an online transaction,' she tweeted.
PAC codes allows someone to shift a mobile phone number to a new device, but the process can also be done by criminals armed with enough personal data
'Phone number was ported to a new SIM,
meaning crims access/bypass authentication and authorise payments.
'I don't use publicly available email
addresses on my financial accounts; my
passwords are gobbledegook letters and
numbers and special characters; I have two step authentication on all my accounts.
'I am absolutely absurdly paranoid about security.'
'SIM-swap fraud is devastating, as we saw with Jack Monroe,' said data protection consultant Pat Walshe at Privacy Matters to New Scientist.
'There is the harm. You mustn't just think in terms of financial harm, there's the anxiety and there's the distress this causes, the absolute inconvenience while you're without your phone.
The ICO has so far identified 11 of the cases of PAC fraud since last April have been confirmed to be involve SIM jacking.
'We don't know which operators have reported what and we don't know whether the fraudulently obtained PACs is in fact SIM-swap fraud. We can only assume it is,'