How does cell phone theft fraud work?

By Carlos Augusto Galhiego Vieira*

It is not new that the Cell phone theft has intensified in Brazil. In the state of São Paulo alone, the increase was 39% between May 2020 and 2021. This means that every day 1024 devices of this kind are stolen, totaling more than 50 thousand devices per year, according to records from the São Paulo Public Security Department last year. Despite the alarming numbers, few are aware of the risks involved when the smartphone ends up in the hands of malicious people.

  • 10 tips to avoid attacks, fraud and scams on mobile
  • 10 actions that you usually do and are dangerous for your digital security
  • Procon-SP proposes a limit of R$ 2020 monthly for Pix to stop hits

    Today, most citizens keep personal information on their cell phone. These are photos, videos, contact list, location history, social networking applications, conversation history, notes – including passwords – and banking applications with access to checking balances and investments, which makes financial transactions faster and easy.

    Want to catch up on the best tech news of the day? Access and subscribe to our new channel on youtube, Canaltech News. Every day a summary of the main news from the tech world to you!

    With the use of Pix, the numbers of lightning kidnappings have also increased. Data from the São Paulo Public Security Secretariat indicate that, from January to July, there were 144 police reports of this type of crime in São Paulo, which represents an increase of 39% compared to the same period in 1024. Usually, the bad guys surrender the victims and force them to transfer the money by cell phone, via Pix, to a specific account. Concern with these cases led the Central Bank to create additional possibilities for limiting the amounts of transfers to individual and MEI accounts, at specific times, in order to mitigate the potential damage of these crimes.

    We know that the life of bandits is an infinite game of trial and error, where they try to subtract the good of others for their own benefit, whether or not they may use violence for that. When an attempt succeeds, the technique is spread to other members of criminal groups. It is at this point that the process of combating and preventing fraud comes in, with the purpose of combating and trying to mitigate, as much as possible, the success of these criminals.

    For this, it is important that we understand how these scams work in a general context. When a person illegally obtains another individual’s cell phone, he will use various means, some relatively simple, to access the protected environment. The main means used to access the “logged in” area of ​​the cell phone are:

    • Access without the use of password / biometrics;
    • Attempting frequently used and easy-to-guess passwords (there are several lists on the internet);
    • Obtaining personal information through emergency notes in an area that is not logged in;
    • Engineering social/phishing directed at the cell phone owner, either by calling or sending messages;
    • Use of known vulnerabilities, especially in outdated environments.
  • Pix is ​​one of the most used platforms by criminals to perform fast money transfers from stolen cell phones (Disclosure/Marcello Casal Jr/Agência Brasil)

    Fraudsters are unlikely to use tech bypass techniques of the manufacturers’ biometrics process, especially in more modern models. When in the mobile phone’s logged in area, the fraudster needs to have access to restricted applications. To do this, criminals follow a list of actions to try to obtain access credentials. These include:

    • Search for keywords related to “password” in messaging, email and notebooks on cell phones (it may seem strange, but a large part of the population uses this practice of storing passwords locally or to share with family members);
    • Obtaining personal data on social networks to attempt password guessing;
    • Photos of documents with personal information and credit card data;
    • Attempting frequently used and easy-to-guess passwords (there are several lists on the internet);
    • Change of password through “I forgot my password” and use of the mobile number itself as MFA, when applicable;
    • Social engineering/phishing aimed at the cell phone owner (call or SMS).

    To prevent and mitigate resulting attacks of cell phone theft, it is important to use behavioral analytics based on user profiles and potential fraudsters. How does it work in practice? A user who is performing a legitimate transaction will hardly try to access the account with an invalid password sometimes, even if he succeeds after the onslaught. It is unlikely that you will also respond to invalid tokens or perform transactions for some recipient and bank that you have never had a relationship with.

    This order is not fixed and requires highly trained models to avoid fakes positive and negative. Likewise, no protection will be effective in 100% of cases. Therefore, it is important to have contingency rules in case the models do not detect fraudulent behavior. To mitigate problems, the main recommended actions are: putting a password on the cell phone’s chip; use strong passwords and multi-factor authentication whenever possible; not reuse passwords across different applications; use passwords to lock the device’s screen; keep the software up to date; remove passwords that are annotated or shared; use password managers; use a second strong authentication factor and have a specific cell phone to handle bank accounts where you have the greatest savings.

    If the cell phone is stolen, the user must make a bulletin occurrence and take some actions to avoid damage and headache. Among them, the following stand out:

  • Use the device tracking tools;
  • Remotely erase all cell phone content, according to the guidance provided by the manufacturers;
  • Call the bank immediately;
  • Change all passwords;
  • Notify the contact list as soon as possible;
  • Block the cell line using IMEI;
  • Never inform passwords or authentication PINs by telephone or unofficial means of institutions;
  • Access the Central Bank Registry tool to verify that the data has not been used to open accounts or loans.

    At this moment when cell phones are in the criminals’ sights for data and money theft, the tip is that the citizen always remains vigilant and attentive. Redoubling the precautions with security can be faster and simpler than remedying damage caused by improper access to data that should be yours alone.


    *Carlos Augusto Galhiego Vieira is Fraud Prevention Manager at Topaz, a Stefanini Group company that specializes in solutions for the financial market.

    Did you like this article?

    Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.

  • Related Articles

    Back to top button