Thursday, June 28, 2012

Cloning makes its return

I am not sure if this has become a problem in other areas yet, but apparently there is a new twist in cloning the SIM card in a mobile phone.

Ok a little history first, when mobile phones first came out they did not have SIM cards. Identifying information was "hard coded" to the phone letting the network know that it was you on your phone using the network. Then someone worked out that they could scan and clone that information (similar to what is now starting to be common for RFIDs). You see that by broadcasting your "unique" identifier to the network the fraudster can trick the system into thinking they are you. For RFID this means that they can clone your credit card and start charging against your account.

In the late '90s I know that fraudsters rented a room on the lowest floor of a building that was over FDR Drive in NYC. This put them close enough to ping and scan the mobile devices in the cars that passed below them. They then input the information into other phones and were able to arrange dial out, long distance, premium number and saweepstakes fraud against those mobile user's accounts.

Now in theory this has stopped happening in mobile devices as the information is supposed to be harder to get.

Today I came across an article in the Arab Times Phone Clone Latest Scam To Prey On Mobile Users. A man called a reporter on her mobile phone and told her
Congratulations, you have just won KD 100,000 from ------ (name of the telecommunication company). I’m from the (name of the telecommunication company) International Government Department. You can claim your prize from ------ (name of local bank) by calling this number  00447624192661 for instructions on how to claim the KD 100,000 prize from (name of the local bank),” went a man to one of the reporters of the Arab Times early this week. He was calling her on her mobile phone from the number 22280636.
Now to be fair, at this point she knew it was a scam - but being a journalist she wanted to get the full story and called the number and got the same man.
 He was the same man who called up the reporter earlier but this time he introduced himself as Michael Husky of the (name of the telecommunication company) International Govern-ment Department of Kuwait. He then gave an eight-digit number to the reporter and asked her to check if the eight-digit number that he gave matched the first eight-digit number at the back of her mobile phone SIM card. “Switch it off and check it. Please check if it’s the same and please call again to confirm and I will give you the final instructions on how to claim your KD 100,000 prize from _____ (name of local bank)” said the man.  The reporter removed the SIM card from her phone and much to her surprise, the eight-digit number that the man gave her earlier was the exact number at the back of her SIM card.
The reporter removed the SIM card from her phone and much to her surprise, the eight-digit number that the man gave her earlier was the exact number at the back of her SIM card. However, when she switched on her mobile phone, it went offline and she had to go to one of the branches of this telecommunication company to check on what had gone wrong with her phone line. Her phone started working again after a customer service representative helped her out. The reporter then told the customer service representative about the earlier incident about the KD 100,000 cash prize. The customer service representative laughed aloud and told the reporter that it was not the first time that she heard such story as a number of other subscribers had also called up and claimed that they had won a cash prize from the telecommunication company.
The article goes on to say that she called again, got new instructions and was told to expect a text (SMS) message with a new PIN and to sign in using it.

When she checked with the legitimate phone company she was told that if she had gone ahead with it they would have cloned her phone.

There is a well written and detailed explanation about this could be done by the fraudsters and what each part of the scam actually was doing.

But this shows that when you get unexpected "You have won" calls or messages you should be wary as they are almost always too good to be true and can end up costing you a lot.