Project Disrupt: Toronto police arrest 10 people, lay more than 100 charges in SIM swap scam

Jenesis

Fabulously Full Figured
Supporting Member
Jul 14, 2020
9,292
9,306
113
North Whitby Incalls
www.jenesis.ch
I had to use my phone and get texts from two banks this week to prove who I was. One for online and one for in person.

So they use your phone number to verify everything. I have voice authorization for online banking and they still wanted to confirm who I was.
 

Phil C. McNasty

Go Jays Go
Dec 27, 2010
26,693
4,756
113
Dont have bank apps on my phone and never use my phone for banking or paying for anything. Thats the way to avoid being scammed like this
Same here. I got rid of my Paypal, Facebook, and Instagram accts as well on my smartphone
 
Last edited:

IM469

Well-known member
Jul 5, 2012
11,139
2,470
113
I m a little slow here and need your assistance. I don't have google pay/ Apple Pay or any touch and go banking on my phone. I have banking Apps but they require a password. If go online - I still have to give a password before a text is sent to my phone. Generally any changes to the account require my three digit code on my credit card and description of my last transaction - location and amount. This is even for a temporary daily limit extension.

Now you have my SIM card - how do you get my money ??
 

farquhar

Well-known member
Jan 25, 2019
1,142
972
113
I had to use my phone and get texts from two banks this week to prove who I was. One for online and one for in person.

So they use your phone number to verify everything. I have voice authorization for online banking and they still wanted to confirm who I was.
That Banks will use a 6 digit code via text for in-person transactions is BS. I can read that text without actually unlocking my device; so that only proves that I have Farquhar's device, and not that I am Farquhar.

If the Banks actually gave two shits, they would use Authenticator Apps - but that would require them to spend money, and they don't want to do that.
 
  • Like
Reactions: xix and Jenesis

farquhar

Well-known member
Jan 25, 2019
1,142
972
113
I m a little slow here and need your assistance. I don't have google pay/ Apple Pay or any touch and go banking on my phone. I have banking Apps but they require a password. If go online - I still have to give a password before a text is sent to my phone. Generally any changes to the account require my three digit code on my credit card and description of my last transaction - location and amount. This is even for a temporary daily limit extension.

Now you have my SIM card - how do you get my money ??
Perhaps you used your VISA Debit or Debit MasterCard to pay for something on a website that was compromised - such as what happened to TicketMaster recently. That Data ends up on the Dark Web and is packaged and resold.

So, the criminal has your Name, Address, Birthday, Phone Number, Bank Card number, Expiry, and the 3 digit Security Code - the criminal then uses Fake ID or good old fashioned Social Engineering to go to your Mobile Provider and convince them that they are you, and swap service from your SIM card to a SIM card they have in another phone.

The Criminal then goes on the Bank's website and initiates a Password Reset - they have all the required information, and the Bank will send them the code to complete the Password Reset.

Now that the Password is reset, the Criminal has full access to your Bank Accounts - and will either E-transfer money out to the daily limit to an e-mail address they control; or add some Prepaid VISAs to your Billers and make Bill Payments to those accounts, and siphon your money onto those Prepaid VISA cards; or send a Global Money Transfer to an offshore account.
 

HungSowel

Well-known member
Mar 3, 2017
2,819
1,709
113
That Banks will use a 6 digit code via text for in-person transactions is BS. I can read that text without actually unlocking my device; so that only proves that I have Farquhar's device, and not that I am Farquhar.

If the Banks actually gave two shits, they would use Authenticator Apps - but that would require them to spend money, and they don't want to do that.
Royal Bank and wealth simple support authenticator apps, tangerine does not and relies on SMS, no idea about other banks. The best security is security keys like yubikey but almost nobody supports them, I bought 2 yubikeys but they are more or less useless.
 

Jubee

Well-known member
May 29, 2016
4,253
1,703
113
Ontario
Dont have bank apps on my phone and never use my phone for banking or paying for anything. Thats the way to avoid being scammed like this.
At some point you'll be forced to. Scotiabank, ING and I think a couple of others require 2FA , which means you'll need their app on your phone to verify who you are when you log online to your account.

Two-factor authentication (2FA) is a security system that requires two separate, distinct forms of identification in order to access something. The first factor is a password and the second commonly includes a text with a code sent to your smartphone, or biometrics using your fingerprint, face, or retina.
 
Last edited:

HungSowel

Well-known member
Mar 3, 2017
2,819
1,709
113
Perhaps you used your VISA Debit or Debit MasterCard to pay for something on a website that was compromised - such as what happened to TicketMaster recently. That Data ends up on the Dark Web and is packaged and resold.

So, the criminal has your Name, Address, Birthday, Phone Number, Bank Card number, Expiry, and the 3 digit Security Code - the criminal then uses Fake ID or good old fashioned Social Engineering to go to your Mobile Provider and convince them that they are you, and swap service from your SIM card to a SIM card they have in another phone.

The Criminal then goes on the Bank's website and initiates a Password Reset - they have all the required information, and the Bank will send them the code to complete the Password Reset.

Now that the Password is reset, the Criminal has full access to your Bank Accounts - and will either E-transfer money out to the daily limit to an e-mail address they control; or add some Prepaid VISAs to your Billers and make Bill Payments to those accounts, and siphon your money onto those Prepaid VISA cards; or send a Global Money Transfer to an offshore account.
The criminal still needs your email account password to complete the password reset but if you recycle your login passwords then your pussy will be easily grabbed.
 

farquhar

Well-known member
Jan 25, 2019
1,142
972
113
Royal Bank and wealth simple support authenticator apps, tangerine does not and relies on SMS, no idea about other banks. The best security is security keys like yubikey but almost nobody supports them, I bought 2 yubikeys but they are more or less useless.
CIBC and BMO both don't support authenticator apps.

140 BMO customers say they lost $1.5M in transfer frauds, plan to sue bank | CBC News

CBC News spoke with about half a dozen clients who say their BMO chequing, savings and/or line of credit accounts were drained when fraudsters somehow got access and sent themselves money through e-transfers, global wire transfers and by setting themselves up as payees for bills.

BMO told them they won't be reimbursed because their passwords were used correctly and, in some cases, one-time codes were sent and entered correctly and the IP addresses matched those of the client, according to emails from the bank.

The customers filed reports with police and the OBSI, who sided with the bank.

Kenrick Bagnall, a former Toronto police cybercrime investigator who worked in the bank security sector, says he believes the customers' devices were infected by malware, which harvests digital credentials like passwords and IP addresses from a computer, tablet or phone.

Bagnall says cybercriminals often use social media to gain information about an individual, then send them a targeted phishing email based on their interests and recent activity, which if clicked on, can infect a device.

The malware — which can evade even advanced scanning programs — then bundles the stolen information into a package, which is sold on the dark web for between $50 to $200, depending on several variables, according to Bagnall.

Cybercriminals can then mirror the victim's computer and log into accounts.

"It actually looks like the victim is logging in themselves when they're not," Bagnall said. "So, as far as the checks and balances and controls and the reasonable effort that the bank is putting in, from a security perspective, they're doing the right things."
 

IM469

Well-known member
Jul 5, 2012
11,139
2,470
113
Perhaps you used your VISA Debit or Debit MasterCard to pay for something on a website that was compromised - such as what happened to TicketMaster recently. That Data ends up on the Dark Web and is packaged and resold.

So, the criminal has your Name, Address, Birthday, Phone Number, Bank Card number, Expiry, and the 3 digit Security Code - the criminal then uses Fake ID or good old fashioned Social Engineering to go to your Mobile Provider and convince them that they are you, and swap service from your SIM card to a SIM card they have in another phone.

The Criminal then goes on the Bank's website and initiates a Password Reset - they have all the required information, and the Bank will send them the code to complete the Password Reset.

Now that the Password is reset, the Criminal has full access to your Bank Accounts - and will either E-transfer money out to the daily limit to an e-mail address they control; or add some Prepaid VISAs to your Billers and make Bill Payments to those accounts, and siphon your money onto those Prepaid VISA cards; or send a Global Money Transfer to an offshore account.
The question is the last transaction - not did you buy something from Ticket Master - so that approach won't work. BTW: I've never purchased from Ticket Master - they actually ask for you birthday ? Also a SIM card does not give him access to my bank passwords. However if he has my charge card with the 3 digit code - why bother with the SIM ? He has a limited time until the card number is flagged so I would run with that and forget about the SIM.
 

farquhar

Well-known member
Jan 25, 2019
1,142
972
113
The question is the last transaction - not did you buy something from Ticket Master - so that approach won't work. BTW: I've never purchased from Ticket Master - they actually ask for you birthday ? Also a SIM card does not give him access to my bank passwords. However if he has my charge card with the 3 digit code - why bother with the SIM ? He has a limited time until the card number is flagged so I would run with that and forget about the SIM.
The SIM doesn't provide him access to the Bank passwords; it is used to reset the Bank passwords. He already knows your Debit Card number. The Bank sends an SMS with a one-time use code, which he uses to reset the password to whatever he wants.

Why bother SIM swapping if he has a charge card with the 3 digit code? Because the payoff for SIM swapping is much greater. Tens of thousands of dollars.

Put it another way; my Daily E-transfer Limit at BMO is $7,500, and my Daily Bill Payment Limit at BMO is $25,000. So, that's $32,500 right there if my Online Banking gets compromised. There is also Western Union Money Transfers and Global Money Transfers - not sure of the Limits for those.

I was buying a S24 off of Samsung's website last week for a measly $881, and CIBC wouldn't let the transaction authorize until I spoke to the Fraud Department.
 

Jubee

Well-known member
May 29, 2016
4,253
1,703
113
Ontario
The SIM doesn't provide him access to the Bank passwords; it is used to reset the Bank passwords. He already knows your Debit Card number. The Bank sends an SMS with a one-time use code, which he uses to reset the password to whatever he wants.

Why bother SIM swapping if he has a charge card with the 3 digit code? Because the payoff for SIM swapping is much greater. Tens of thousands of dollars.

Put it another way; my Daily E-transfer Limit at BMO is $7,500, and my Daily Bill Payment Limit at BMO is $25,000. So, that's $32,500 right there if my Online Banking gets compromised. There is also Western Union Money Transfers and Global Money Transfers - not sure of the Limits for those.

I was buying a S24 off of Samsung's website last week for a measly $881, and CIBC wouldn't let the transaction authorize until I spoke to the Fraud Department.
But once they reset the password to your bank(ing), they have full access to your accounts and that's fucked up.
 

farquhar

Well-known member
Jan 25, 2019
1,142
972
113
But once they reset the password to your bank(ing), they have full access to your accounts and that's fucked up.
Any money in the Chequing account plus I also have a $68,000 Line of Credit; and when it comes to these types of Frauds, the Banks generally will find some way to blame the customer (as you saw in the BMO article I linked) and deny compensation.

If you have a problem with your Bank, there is an Escalation process; if the Bank won't solve your problem, you can have a second review by the Ombudsman for Banking Services and Investments - OBSI ; however, in most cases OBSI sides with the Bank; only in cases where the Bank did not follow its own policies does OBSI compensate the consumer.
 
  • Like
Reactions: Jubee

HungSowel

Well-known member
Mar 3, 2017
2,819
1,709
113
Credit Card fraud is covered by the credit card company so it is not something to be freaked out over by the end customer.

Banking fraud is usually not covered and the limits are potentially much higher so it is something to be very concerned about.

With Banking fraud, the criminal needs your SIM account and banking account# and banking password, if they can not get a hold of the banking password then they will request a banking password reset which requires the username and password of the recovery email address.

Your banking password and email password is the challenging thing for criminals to get but if you recycle your passwords then the password is easy to get.
 

farquhar

Well-known member
Jan 25, 2019
1,142
972
113
With Banking fraud, the criminal needs your SIM account and banking account# and banking password, if they can not get a hold of the banking password then they will request a banking password reset which requires the username and password of the recovery email address.

Your banking password and email password is the challenging thing for criminals to get but if you recycle your passwords then the password is easy to get.
CIBC won't send One-time Codes to most free E-mail providers for this reason. CIBC will only send the One-time Code via Voice Call or SMS to whatever number they have on your Customer File - which is what motivates criminals to get your SIM account.
 
  • Like
Reactions: Jubee
Toronto Escorts