Sim Swap Scam

This is pretty freaky. Recently when I got the Redmi 3s prime for dad, I had to get his SIM changed. Vodafone Store guy gave me a new sim without any paperwork. Told me to send the sms in this format to switch the connection from the old sim to the new sim. The process took less than 2 minutes. No verification from Vodafone. NOTHING.

This probably explains why operators are being forced to send this warning to their subscribers. They have made the process of sim swap so easy that it is being abused by scammers. Just one SMS would handover your mobile number to another person. And only god knows what he can do with it. Changing passwords of digital wallet accounts would be rather simple. Bank accounts would be slightly tough. I bet there are tens of other things that I cannot recollect right now.

This also means that one has to be extremely careful with their phones. Anyone can take over your mobile number if they can get hold of your phone for even a minute. To gain back your number, I assume you would need to run to a company outlet. Not sure if you can get your SIM blocked through a phone call to the customer support center.

Source

Source

upi relying on otp and debit card numbers is probably the reason. your debit card details are easy to fetch if you use it over the counter at a retail store. and mobile cloning takes care of otp.

to push for digital transactions, i guess this decision was made. people have a choice to not have an online banking account. but they have zero control over upi and aeps. the smarter thing would have been to add a few manual steps in activation of both. but that would have hurt the adoption of these services which would have hurt their ambitions to take on visa and mastercard. the common man suffers as a result of this.

airtel blocks sms service for 24 or 48 hrs after sim swap to prevent OTP frauds but some service like Paytm have option for call too idk if gmail and fb have this call option too for lost password.

no documentation is required bcoz you need the original sim to place swap request and if someone already has access to your original sim then why swap/clone

the core problem here is that otp has replaced human verification. you can lose your phone. someone who borrows your phone can misuse it. one of your family members can essentially impersonate you for these services at home with access to your phone. your phone replaces your signature (or fingerprint in case of aeps).

hmmm but OTP is meant to be a two-factor authentication not a replacement of your password or other authentication

For UPI registration your debit card number is basically your username and OTP is your password. Not your ATM Pin. Not your online banking password.
And it is something that you cannot even deactivate on your account to the best of my knowledge. Same with AePS. One of the main reasons I do not like Aadhaar is that there is no opt out of AePS. I do not want my fingerprint to become superior to my signature for financial transactions.

thats the flaw in the design of UPI which uses only OTP for verification not as a 2factor authentication

yup. they seem to have designed it this way intentionally to keep the friction low. most people carry their debit cards with them so they can get on upi pretty easily. online banking on the other hand requires a lot of effort. using a mobile app has same issues as most mobile apps suck and password requirements are batshit crazy for most banks.

Sushubh said:

Source

Click to expand...

how these frauds get fake bank accounts so easily? with UPI they have to transfer money to some acc right

god knows. i mean the money should have gone to a bank. and they could have taken out the money in cash. could have opened a temporary account using a fake aadhaar card?
the thing here is... how would icici decide that the transaction was fraudulent? the transaction was between customer to customer.
no business was involved so it's not like credit card companies that they can reverse the transaction just like that.

opening bank acc process should be more stringent and bank where fraud acc was opened should be liable

that's the thing. from the looks of it, aadhaar has made it easier to open a fraudulent bank account. earlier banks were responsible for kyc. now they can just blame aadhaar and since aadhaar can't do anything wrong, government would keep on keep on pretending that all is well.