cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Scammers leveraging SIM jacking for ‘unvetted access’ to personal data

University of Melbourne cyber security expert Suelette Dreyfus warns of falling prey to “SIM jacking”, a technique which scammers can use to gain “unvetted access” to a victim’s personal information.

user iconReporter
Tue, 31 May 2022
Scammers leveraging SIM jacking for ‘unvetted access’ to personal data
expand image

In a 4BC 882 News Talk radio interview, cyber security expert Suelette Dreyfus at the University of Melbourne warned about how cyber attackers could have used "SIM jacking" to target a Queensland man; draining his accounts and using 288,000 stolen frequent flyer points to enjoy a holiday overseas.

According to Dreyfus, the man could have fallen victim to scammers after being hacked through "SIM jacking".

"That might be where someone gathers information, intelligence about you.


"Then contacts your mobile phone carrier to say, 'I've lost my phone, can you send me a replacement SIM at this address'.

"And then from that they have your phone details, and your phone SIM," Dreyfus said.

"SIM jacking" or "SIM swapping" is the process that "involves a scammer taking control of a consumer's mobile number by using that individual's personal details to request a new SIM", according to the Australian Communications and Media Authority (ACMA).

In order to protect customers, the ACMA introduced new rules that "will require stronger customer identity checks when telcos undertake high-risk transactions such as SIM-swap requests, changes to accounts or disclosure of personal information".

Commenting on the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022 that will be coming into effect on June 30, Fiona Cameron, chair of the ACMA’s Scam Taskforce, further explained that the ACMA can enforce a range of actions on telcos who are found to have breached the new rules, which include commencing court proceedings.

"SIM-swap scams can cause a lot of harm as scammers take control of your phone number and then use that to gain access to your online banking accounts.

"These new rules require multi-factor authentication of your identity such as confirming personal information and responding with a one-time code consistent with how other essential services like banking operate," Cameron said.

"We expect these rules will go a long way to stamping out unauthorised transactions like SIM-swap fraud and improve safeguards for telco customers."

The estimated cost for victims who have been hacked sits at an average of $28,000 in Australia according to ACMA data.

The hackers who had targeted the Queensland man had even managed to break into his PayPal and defunct Netflix account, demonstrating the vast access scammers had to their victim's personal information, prompting Dreyfus to add that it is "dangerous to use the same passwords".

"The other thing that can happen, which is a little bit more in your control, if you re-use passwords, even if you add a 1, 2, 3 or on the end, or you use insecure passwords that can be guessed by rapid firing reasonable guesses of dictionary words in a computer program to see which ones work, those are very common methods," Dreyfus said.

Cameron further emphasised that scammers are forever finding new ways to steal personal details and rip people off.

"SIM-swap fraud is particularly egregious as it leads to identity theft and significant financial losses."

[Related: Infraud transnational cyber crime group members jailed in US federal prison]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.