Duplicate SIM issued without biometric — Rs8.5 mln wiped from Karachi man’s account
- By Salman Lodhi -
- Oct 23, 2025
KARACHI: A citizen lost Rs8.5 million after fraudsters obtained a duplicate SIM card linked to his bank account without biometric verification, an NCCIA investigation report has revealed.
According to the report submitted to the court, the National Cyber Crime Investigation Agency (NCCIA) uncovered serious security lapses in both a private bank’s digital system and a mobile phone company’s verification process, raising major questions over their OTP and anti-fraud mechanisms.
Investigators found that the duplicate SIM was illegally issued from Hyderabad without biometric authentication. Soon after the issuance, more than 100 unauthorized transactions were made through a private bank account, draining Rs8.5 million, the report stated.
The report further disclosed that on the evening of September 29, the victim, identified as Sunny Kumar, was at Dolmen Mall Karachi between 7 and 8 pm when his mobile phone suddenly lost service. When he later visited his mobile company’s franchise, he was shocked to learn that a duplicate SIM had been issued from Hyderabad.
That SIM, investigators said, was directly linked to his bank account, which enabled the culprits to access one-time passwords (OTPs) and execute a series of online transfers within hours. The stolen amount was later dispersed across multiple bank accounts, the NCCIA report revealed.
Officials from both the private bank and the telecom operator were summoned for questioning. However, the report noted that neither institution provided complete evidence despite repeated requests. The bank reportedly failed to share login records, location data, IMEI and IP addresses, or its internal investigation findings.
Similarly, the mobile company’s administration was asked to furnish details of the biometric verification device, the franchise owner who issued the duplicate SIM, and the identity of the individual who purchased it, but the firm only provided incomplete and unsatisfactory information, according to the report.
The NCCIA stated that the private bank was given until October 14 to supply all relevant digital logs and standard operating procedures, but it submitted only partial data. The telecom operator also failed to respond adequately to 48 detailed questions regarding SIM issuance, biometric verification, and internal security controls.
Investigators concluded that the incident was a planned cyber-financial fraud, carried out through unauthorized activation of a duplicate SIM and exploitation of weaknesses in digital banking systems.