• 29 July, 2023
• No Comments

Impersonator took over e-SIM card, accessed e-wallet

An impersonator managed to take over a Circles.Life customer’s line on Jan 2 and, soon after, gained access to her WhatsApp account and multiple e-wallets.

The customer, known only as Ms Sim, 34, said she received a record of a conversation that she had supposedly initiated with Circles.Life using its app. Speaking to The Sunday Times, she said the impersonator, who had her full name, date of birth and NRIC number, used the details to request a one-time password.

“With these details, they were able to log in to my Circles.Life account and change the registered e-mail address and request a new e-SIM and activate it,” she said. An e-SIM is a digital SIM that can be installed instantly on a mobile device. Usually, customers receive a QR code that they scan to activate it.

Shortly after Ms Sim realised she was unable to receive WhatsApp messages and calls, she received a notification from her Shopee mobile application informing her that there were multiple requests to change her password. The impersonator also logged in to her Grab account. Grab and Shopee allow users to log in using their mobile numbers.

Ms Sim, who is a data analyst, said: “I took nearly a week to recover my accounts. I had to call various platforms to inform them about the incident. I took time away from work and spent hours at the police station making my statement”.

She added: “Even after this incident, I really don’t know what else the impersonators can do with my personal information”.

After Ms Sim’s husband contacted Circles.Life through Facebook Messenger on Jan 2, her phone line was suspended the same evening. On Jan 3, she received a physical SIM card from Circles.Life, which ensured that the impersonator would no longer have access to her mobile line. Ms Sim’s money is still active, but she has switched service providers.

A spokesman for Circles.Life said it would continue to render support to Ms Sim, and that it regards data safety as a top priority. The digital telco said: “Amid the incident, Circles.Life has set up a dedicated Scam & Fraud task force… to manage future incidents, thus ensuring quicker response times”.

The Infocomm Media Development Authority, which regulates telcos, said it is investigating the incident. Shopee said: “We urge users to be vigilant and immediately report any suspicious activity on their Shopee account to our customer service channels. Customers can also request that their ShopeePay account be disabled temporarily”.

MyRepublic, another digital telco that also offers e-SIMs, said: “Our e-SIM activation is pegged to a customer’s e-mail address. This makes it less likely for someone to socially engineer their way into MyRepublic”. It added: “Customers are advised to implement two-factor authentication on their e-mail and not to share their e-SIM activation QR codes with anyone at all times”.

Mobile network operator M1 said customers who want to activate their e-SIM can do so through its mobile application. “By going through the app, customers would have already gone through a proper verification process to validate their identity. This provides a layer of security”.

Mr Andy Prakash, co-founder of cybersecurity firm Privacy Ninja, said consumers may choose e-SIMs because of how easy it is to activate them and the convenience of being able to switch between different numbers. To strengthen their verification process, telcos offering e-SIMs can consider requiring users to answer further security questions, such as the name of their favourite actor or the phone number of a family member.

“Unlike NRIC numbers or birth dates, which can’t be changed, such information may be harder for impersonators to obtain”.

– –

This article was written by Jessie Lim and first appeared in The Straits Times on July 29, 2023.