Stéphanie Viriot from MEF Member Gemalto examines a specific form of fraud – SIM card swap – where fraudsters can hijack a users phone by assuming their identity in interactions with their mobile network operator.
A particular type of fraud has emerged in various countries. In markets where prepaid subscriber rates are high and SMS OTP mechanism is still heavily used by banks and service providers; criminals seized on vulnerabilities in existing processes to renew a subscription via SIM card swap. It can be difficult for Mobile Network Operators to enforce restrictive rules to control the identity of the user while changing the SIM, which means that fraudsters pretending to be users can claim for a SIM replacement while pretending they lost their mobile phone.
To illustrate the problems involved, take a look at this example. Chris was sitting in his Nottingham home a fortnight ago when his iPhone suddenly stopped working. Within 75 minutes the fraudsters who had hijacked his phone had, through his online banking app, emptied his bank account of £1,200 and applied for an £8,000 loan in his name. But Chris is just the latest victim of a financial scam that is sweeping Britain: SIM-swap fraud.
But what is SIM swap fraud?
A fraudster gathers data on a bank customer through “phishing” or “social engineering” to gain access to their online/mobile banking portal.
With this data, the fraudster contacts their mobile operator to get their SIM card replaced and/or change Mobile Network Operator while keeping the same mobile number.
With a new SIM and the same mobile number, the fraudster receives bank account authentication codes and/or payment transaction codes (SMS OTP).
The fraudster is now free to log in, create a new beneficiary’s account, transfer and withdraw money.
The mobile phone has become not only a ubiquitous extension of our daily life but also one of our identity master piece allowing banks to identify and authorize credit cards, online transactions, cash withdraw. That is the reason why mobile has also become the main target for criminals.“
SIM swap is becoming an increasingly common source of fraud. Asia Pacific, North America and Indian markets are witnessing the most cases of SIM swap fraud. But this phenomenon is global as many countries (UAE, Brazil, Colombia, South Africa, Singapore or Germany, UK to name only few of them) reported SIM Swap fraudulent cases due to the need to fast track enrollment in order to capture potential new customers, while proper identity verification for mobile subscribers is still not enforced.
The mobile phone has become not only a ubiquitous extension of our daily life but also one of our identity master piece, allowing banks to identify and authorize credit cards, online transactions, cash withdraw. That is the reason why mobile has also become the main target for criminals.
Clearly, SIM-Swap fraud is a growing problem that needs to be stopped. And we need to address the problem with strong, secure solutions. One solution banks are looking for is to reinforce the end users’ identity verification process to improve risk assessment and better respond to fraud management.
This solution cannot only rely on the data coming from the mobile network operators provisioning system. This is not sufficient to properly inform bank risk assessment engine.
To optimize risk assessment, it is important to establish a set of guidelines, which cover multiple conditions or sources of information.
What if banks could get access to real time mobile operator network information to protect the end-user account?
This would include knowing about SIM and device swap scams, but also access to roaming and location data and if needed device specifics, user behavior analysis, IP intelligence and geolocation, among others. Everything would be securely collected and always obtained with the end-user consent.
To show how such a solution would work, imagine a user is asked to validate a transaction with a one-time password sent to their mobile device. The solution gives real-time insight using the date of any SIM swaps.
The bank can then decide whether the targeted mobile subscriber is falling under fraudulent behavior category and if any further authentication is required (customer care call or step up authentication mechanisms). If a customer’s mobile account has been taken over, the bank can take appropriate action before the fraudsters can seize on a vulnerability and withdraw funds, change passwords or set themselves up as a new beneficiary for any payments.
What about subscriber consent?
Managing user consent in compliance with privacy-by-design regulations is becoming mandatory in a lot of countries. Implicit consent can be managed by a bank contract in some way. But explicit consent is requested more and more by market regulators and requires digital user consent prior to further use by the bank or service provider.
A good way to manage explicit subscriber consent is the use of mobile digital channel communication.
When consent occurs with the subscriber, we can set guidelines based on opt-in models.
Preventing SIM-Swap fraud is really all about stopping that problem at the source, which means making it as difficult as possible for fraudsters to lie about who they are to phone operators and financial institutions.
This post originally appeared on the Gemalto blog and is reused with kind permission.
Version 2.0 of the Fraud Framework offers insights into the impact of fraud on all parties within the ecosystem, as well as categorisation of the means available to parties to detect and protect against fraud through the implementation of commercial solutions, technical solutions and through processes, compliance and legality.
A total of 13 fraud types have been identified, defined and mapped providing recognisable, real life examples of how fraud can occur, sharing how the different communities within the ecosystem can detect and protect themselves and their customers against fraud.