SIM swap attack is something out of nightmares, and I couldn't find details on how they work. So here I will be rating some bank's apps, considering the fact that an attacker has received my duplicate SIM and my original SIM is blocked.
Here is what the attackers might have access to.
1. SIM card and all SMS / calls coming to it (duplicate SIM)
2. PAN number (possible from bank or other app's database leak)
3. Bank account number
4. Customer ID of bank account (this may be difficult to find)
5. Debit card details (possible from bank or other app's data breach. No access to ATM PIN)
6. Date of birth (Pretty easy to find)
Here's what the attackers are NOT supposed to have
1. Internet banking password
2. mPIN of banking app
3. ATM / Debit card PIN
4. Access to email account
5. UPI PIN
Here are my rating of bank apps on a fresh install.
I will personally not recommend keeping liquid cash in any bank rated lower than 3.0!
1. DBS: 4.0/5.0
App: Not only do you need internet banking password, you also need an OTP from email. Previously they also used to restrict transactions for 24 hours, don't know about it now.
Internet banking: Forgot password option requires entering debit card PIN.
2. Axis Bank: 3.0/5.0
App: Only thing preventing login is mPIN. If that is secure, you should be good.
Internet banking: Forgot password requires OTP from email too.
3. Kotak bank: 3.0/5.0
App: Same as Axis bank
Internet banking: Required debit card PIN
4. RBL Bank: 1.5/5.0
App: I am really disappointed with this. If the attackers have Customer ID and PAN, they can easily login with duplicate SIM. To make matters worse, once logged in, the mPIN can easily be changed. Please keep your Customer ID in a safe place.
Internet banking: Didn't check because I was too disappointed by the app.
5. Federal Bank: 3.0/5.0
App: same as Axis Bank
Internet banking: Forgot password requires debit card PIN.
Feel free to chime in with your thoughts. I don't have access to some other popular banks like SBI and ICICI, so if someone can tell information on them it would be great.
Also feel free to share any tips to prevent these attacks. I heard attackers can simply swarm with calls and once you pick it up, all money is gone, don't know how it works though.
Edit - adding some more banks:
6. Au bank: 1.0/5.0
App: Requires mPIN to login, which is fine, but...
Internet banking: Forgot password just needs account number and OTP from either SMS or mail. This is a major flaw, otherwise I would have rated it at an average 3.0. Rating it lower than RBL bank because account number is usually easier to find compared to customer ID. Very disappointed.
7. IDBI bank: 3.0/5.0
App: Requires mPIN to login
Internet banking: Forgot password needs debit card details and PIN.
8. HDFC bank: 3.0/5.0
App: Requires debit card PIN to login and setup. mPIN is not required, can be reset after login.
Internet banking: Initially it looks like only mobile OTP is required to change the password, but fortunately it asks for debit card details and PIN.
Here is what the attackers might have access to.
1. SIM card and all SMS / calls coming to it (duplicate SIM)
2. PAN number (possible from bank or other app's database leak)
3. Bank account number
4. Customer ID of bank account (this may be difficult to find)
5. Debit card details (possible from bank or other app's data breach. No access to ATM PIN)
6. Date of birth (Pretty easy to find)
Here's what the attackers are NOT supposed to have
1. Internet banking password
2. mPIN of banking app
3. ATM / Debit card PIN
4. Access to email account
5. UPI PIN
Here are my rating of bank apps on a fresh install.
I will personally not recommend keeping liquid cash in any bank rated lower than 3.0!
1. DBS: 4.0/5.0
App: Not only do you need internet banking password, you also need an OTP from email. Previously they also used to restrict transactions for 24 hours, don't know about it now.
Internet banking: Forgot password option requires entering debit card PIN.
2. Axis Bank: 3.0/5.0
App: Only thing preventing login is mPIN. If that is secure, you should be good.
Internet banking: Forgot password requires OTP from email too.
3. Kotak bank: 3.0/5.0
App: Same as Axis bank
Internet banking: Required debit card PIN
4. RBL Bank: 1.5/5.0
App: I am really disappointed with this. If the attackers have Customer ID and PAN, they can easily login with duplicate SIM. To make matters worse, once logged in, the mPIN can easily be changed. Please keep your Customer ID in a safe place.
Internet banking: Didn't check because I was too disappointed by the app.
5. Federal Bank: 3.0/5.0
App: same as Axis Bank
Internet banking: Forgot password requires debit card PIN.
Feel free to chime in with your thoughts. I don't have access to some other popular banks like SBI and ICICI, so if someone can tell information on them it would be great.
Also feel free to share any tips to prevent these attacks. I heard attackers can simply swarm with calls and once you pick it up, all money is gone, don't know how it works though.
Edit - adding some more banks:
6. Au bank: 1.0/5.0
App: Requires mPIN to login, which is fine, but...
Internet banking: Forgot password just needs account number and OTP from either SMS or mail. This is a major flaw, otherwise I would have rated it at an average 3.0. Rating it lower than RBL bank because account number is usually easier to find compared to customer ID. Very disappointed.
7. IDBI bank: 3.0/5.0
App: Requires mPIN to login
Internet banking: Forgot password needs debit card details and PIN.
8. HDFC bank: 3.0/5.0
App: Requires debit card PIN to login and setup. mPIN is not required, can be reset after login.
Internet banking: Initially it looks like only mobile OTP is required to change the password, but fortunately it asks for debit card details and PIN.
Last edited:
