Identity fraud has risen significantly over recent years, with scammers exploiting the growing amount of personal information available on digital platforms in order to obtain goods or services in the name of their victim. The relevant information can be gathered in a variety of ways, ranging from breaches of customer databases to simply analyzing social media profiles. A particularly sophisticated method that has emerged is known as SIM swapping, whereby criminals trick their way into gaining access to the victim’s SIM card, enabling them to receive their calls and SMS messages, leading to devastating consequences such as account takeovers. Just last week it was revealed that British law enforcers arrested eight men on suspicion of running a SIM swapping ring targeting US celebrities and sports stars.
To find out more about how this scam works, and what more telephone providers and individuals can do to combat it, Infosecurity spoke to Mijo Soldin, director operator strategy and partnerships at IT and telecommunications firm Infobip.
What is SIM swapping and why does it pose such a security risk to consumers?
There are plenty of reasons why you would swap your SIM. Say you’ve lost your phone or bought a new one – but your old SIM card doesn’t fit. Or maybe your SIM card was damaged, or you found a better deal with a new operator. It’s a perfectly legitimate process, but one which sadly many fraudsters are looking to exploit.
A SIM swap criminal uses confidence tricks and online stalking to impersonate someone like me or you to an operator to gain access to a brand new SIM card controlled by them. Through this, they can intercept phone calls, SMS messages, social network accounts and banking passwords, all the information they need to build a profile of a victim.
In under 30 minutes, fraudsters can use this profile to take over accounts, transfer money to themselves and steal, not only life savings, but potentially your identity.
To what extent has this threat grown and evolved over recent years?
Figures from Action Fraud show the number of people falling victim to this type of scam has rocketed by 400% since 2015, resulting in losses of more than £10m for UK consumers.
It’s a concerning statistic – and companies around the world are lagging when it comes to improving their security measures to counter such threats. Over three-quarters (77%) of enterprises rely solely on usernames and passwords to authenticate mobile users, and as little as 28% of people use phone-based two-factor authentication.
A username and password are the first lines of defense – but they shouldn’t be the only ones. Layering your security will help you better protect your customers, and, if done right, it can also improve their overall experience.
What steps should consumers be taking to protect themselves from SIM swapping?
My concern is that the advice given to consumers to stop them falling victim to SIM swapping isn’t up to scratch. People are often advised to avoid giving away too much information on social media, be cautious with the emails they open and respond to, and to use more complex passwords. While this is always best practice, it doesn’t necessarily prevent SIM swap fraudsters, and people tend to only find out they’re a victim when their phone stops working, or they discover they are unable to access bank and credit card accounts – i.e. when it’s too late.
“My concern is that the advice given to consumers to stop them falling victim to SIM swapping isn’t up to scratch”
Consumers can of course be extra vigilant. Contact your operator the moment you receive unsolicited texts or emails about your SIM being ported or a PAC request, or if you unexpectedly lose phone service. The same applies to contacting banks in case a fraudster attempts to make a transfer online or over the phone.
Much of the onus, however, should be on the verification services operators have in place to protect their customers.
How can telco providers and businesses effectively communicate this threat to consumers? Can establishing a global security standard for telco providers reduce this threat?
I believe setting a global verification standard to confirm a person’s mobile identity is imperative in preventing SIM swap scams. This standard needs to be set by telcos who have all the information needed to verify an identity securely but most importantly, in real time. For example, if somebody rang up a business with a query, a company could silently authenticate the person in the background using the information held by telcos, ridding the need for a customer to answer a series of onerous security questions. At the same time, if any irregularities are identified during the frictionless check, the suspicious activity is flagged, and a SIM swapping attempt could be stopped dead in its tracks.
This is how Infobip’s Mobile Identity authentication solution works. By checking for any changes to your IMSI (International Mobile Subscriber Identity) number – or more simply put ‘telecom account data’ – it can confirm the mobile account activation date. If there is no concern, authentication will happen silently in the background without interrupting the user experience. However, if that IMSI number has changed recently, this will be flagged as suspicious activity. The user will then be contacted by the service provider and asked for additional verification.
What other measures should telco providers be taking to help protect consumers from this tactic?
It’s about ensuring security is synonymous with customer experience and trust. Many businesses are looking at ways to remove friction from customer interactions to ensure the experience is as quick and as seamless as possible. Some critics, however, assume that removing friction will reduce security and make customers feel less confident in their interactions with a business. However, a smooth approach should not compromise security.
A strong authentication layer should consist of at least three real-time identification and authorization services. At Infobip, this includes silent mobile verification (SMV), account takeover protection (ATP) and SIM Swap. What’s more, these checks should happen ‘behind the scenes’ as part of the customer journey.
This is even more important when we consider the imminent European PSD2 (Payment Services Directive 2) regulation, which comes into effect this September. The main provision of PSD2 is strong customer authentication (SCA) – i.e. reducing fraud while increasing authorization rates. To meet SCA requirements, businesses must implement security measures – made up of at least two real-time identification and authentication services – when customers make an online purchase. This allows businesses to authenticate both the customer’s identity and validate that they are the valid holder of the credit card they’re using to complete the purchase.