This video is part of a series of interviews between fraudster turned fraud-fighter Tony Sales and Callsign's Ryan Gosling. In this video, Tony walks Ryan through how social engineering and SIM swaps are used to acquire or bypass OTPs.
SIM swaps are always going to be a threat. Because it's a device structure reliant upon a third party securing services from our banks. You have that telecoms communication company in the background, being made responsible for an OTP to come through. That's a big weight on their shoulders. We actually did this on watchdog, where we went into the main phone providers, and we were able to show SIM swap – just basically going in saying, ‘I've lost my SIM. Ah mate, I've lost my SIM, can you help me? Please man, can you help me?’. As soon as you play on those heartstrings, it's human and emotional, socially engineering that person. These are the real stories that happened to people all the time.
Ryan Gosling:
That’s really interesting. I think when we think about social engineering fraud, we often think it's just at the point of the bank payment. But actually, what you're talking about there is that social engineering starts even deeper than that, at the telco level… then that preparation then helps them then attack the bank later on.
Tony Sales:
Social engineering can play a massive part. If I'm going to need an OTP or I need to sign in via two-factor authentication, I need to get a number from somewhere. That means I need to pre-empt that and talk to you either as a bank, as someone who's distributing stuff, or maybe as law enforcement. I'm trying to convince that person that I am someone in a position of trust in order for them to place the OTP into their device or give me the OTP so I can place that into the device.
Watch the rest of our series with Tony Sales:
The challenges of SMS OTPs
The role of biometrics in tackling fraud
