The British prime minister is embroiled in a sudden political flap following the revelation that his mobile number has been exposed online for the last 16 years.

His spokesperson has said the public isn't "particularly interested" in the issue, and while the classics-educated leader thinks a Trojan is merely a figure in a mythical war, most 21st century adults understand the dangers of leaking personal data onto the web.

In any case his mobile number is certainly of interest to foreign security agencies.

Figure 1: Nefarious network: Chinese police have recovered fake SIMs created by a ring including retailers, MVNOs, telco employees and more than 300 criminal gangs.
(Source: Brett Jordan on Unsplash)

In the fraud world, however, forget the global leaders – it's the ordinary mobile numbers that are prized.

To get a sense of the scale of the mobile fraud business, Chinese police have just broken up a ring that involved retailers, MVNOs, telco employees and more than 300 criminal gangs.

During the two-year probe they recovered 18 million illicit phone and IoT SIMs, weighing around 70 tons, Beike Finance reported this week. They also arrested 4,000 people and seized 30,000 computers and phones containing 67 million pieces of citizens' personal data.

Tangled web

At the center of the scam was a company called Shandong Yafeida IT Co., a retail agent that sold SIMs on behalf of several operator clients. It is not clear whether it worked directly with any of the big MNOs or just with MVNOs.

It used 18 shell companies to sign contracts and create fake sales contracts in collusion with operator employees, and then sold the fake SIMs to the fraudsters, shipping more than 10 million in 2018 alone.

Access to these dark SIMs opens the way to multiple scams.

One is SIM swap, well-known around the world, which takes advantage of the widespread use of SMS for two-factor authentication. It typically goes hand in hand with phishing or social media data scraping to get hold of personal data, which the scammers use to change the victim's mobile number.

Who are you?

The fake SIMs also allow scammers to take over people's social media or other accounts – a big deal in China where mobile payment is ubiquitous, and the WeChat app is commonly used for authentication.

A security expert told Beike Finance the SIMs enabled various kinds of online fraud, loan fraud and, possibly unique to China, impersonating public prosecutors.

Interested in Asia? Check out our dedicated content channel here on Light Reading.

This can be combined with scam phone calls, which have reached plague proportions in China.

Just last week, Hong Kong police arrested a man who had allegedly scammed HK$255 million (US$32.8 million) from a 90-year-old woman, where the caller had made her believe she was under suspicion of money laundering.

China has exacting mobile registration and authentication rules that require all mobile services be registered with the user's real name and details.

But these don't count for much when people at multiple levels of the industry are determined to engage in deception.

Related posts:

— Robert Clark, contributing editor, special to Light Reading