BBC Reporter Demonstrates Ease of Hacking Bank Account

Written by Pronetic

Pronetic is a leading provider of core IT support for ISO 27001, Cyber Essentials and Cyber Essentials Plus compliance.

March 11, 2016

A reporter working as part of a popular BBC Radio 4 programme has caused a HSBC bank to issue a security warning to its customers after the reporter was able to hack in to the programme producer’s bank account and take money from it.

The widely reported hack was intended to demonstrate how mobile-based password resets can still be used with relative ease by fraudsters to commit cyber crime despite bank security measures being in place.

How Did They Do It?

A recent Computer Weekly article highlighted how the reporter found a way in to the account by contacting the ‘You and Yours’ programme Producer’s mobile phone provider and telling them they wanted to swap similar SIM cards.

The SIM swap service is a genuine service that allows customers to keep their phone number but to swap SIMs and phone providers. In this case however the SIM swap was used to take advantage of the two factor authentication of customer identities whereby banks often use the mobile phone number they have for the customer as part of that authentication. Customers wanting to reset their login are sent a code by text to the number that the bank has on file.

This allows the recipient of the text to get into the online account in order to re-set the login details. Since the SIM associated with the account had already been changed by the reporter, they were able to use the code to get in to the Producer’s account. This method also meant that the reporter was able to circumvent the usual secondary security checks such as answering questions about mother’s maiden name, pet names, first school etc.

Once in the account the reporter was able to change the PIN and actually transfer money (only £1.50 in this case) from the Producer’s account into their own account.

Warning Issued As A Result

As a result of the reporter’s actions and the impending publicity that they would cause, HSBC issued a statement to customers explaining what the “increasingly common” SIM swap is, and how it can be used by fraudsters and 3rd parties for dishonest means by giving them the ability to use your mobile phone number to receive and make calls, receive and send text messages, and use any provisioned data allowance.

What Does This Mean For Businesses?

As well as making you want to examine areas where this type of fraud could possibly be conducted against your business, and making yourself aware of the possible signs of SIM card fraud e.g. suddenly not being able to make or receive calls or texts on a business phone, it may also make you feel as though you could have cause for concern about the security of your business bank account.

Some banks and credit card companies however such as HSBC and Mastercard have already started, or are about to start using Biometrics for authentication / verification. This will take the form of fingerprints and even ‘selfies’ taken using special phone apps, and these methods are thought to be a much better safeguard than passwords, or as in this case, checks based on details that can be swapped at the other end.

You May Also Like…

0 Comments

Why Choose Pronetic

We Are ISO 27001 & Cyber Essentials Plus Certified

Be reassured that we have been externally audited. You can have complete peace of mind that the team managing your IT systems and safeguarding your data are independently vetted annually.

Seamless & Comprehensive IT Support

Our investment in people, tools and processes, continuously improved, ensures that we don’t just deliver exceptional I.T. support but include your compliance to Cyber Essentials or ISO 27001 “baked-in”. Yes, that means no more annual headaches and stress when your certification comes round.

Expert Support Money Back Guarantee

We're confident in the value we deliver. That's why we offer a 90-day, no-quibble money-back guarantee. If, for any reason, you're not completely satisfied with our IT support services, we'll provide a full refund and cancel your contract without any hassle.

Book Your Free IT Strategy Call Now!

Simply Fill In The Form Below To Receive Your Free IT Strategy Call:

By submitting this form, you consent to us using your personal information to contact you. For more information please see our privacy policy.