How widespread is SIM Swap fraud? And how effective is the industry rearguard against it? MEF gathered three experts to share their insights. Here are the highlights…

When mobile penetration went close to 100 per cent in most regions, it became obvious that the phone could be an excellent tool for authentication.

Simply send a text to a customer to say: ‘is this really you?’.

The phone is unique and personal and pretty much always within reach. A fraudster can steal your password and your personal details, but not your phone.

Watch the MEF Webinar in full

But fraudsters are not easily deterred. They know they can’t intercept the authentication message or the handset (without violence). But they can intercept the SIM. How? By posing as the victim and tricking MNO staff into changing it over.

Once they have the SIM, they can contact a bank, request a transfer and receive/approve the authentication PIN.

This, of course, is SIM Swap fraud.

It’s important to remember that SIM Swap is a relatively rare occurrence. Every day banks send millions of authentication messages without any problem.

But when it does occur, the distress caused to individual victims is considerable. And for the industry there is the risk of reputational damage and financial loss.

SMS is a great tool for authentication. It works out of the box on all handsets, and isn’t susceptible to malware. There are no costs for banks in terms of extra hardware or infrastructure. So let’s not throw the baby out with the bathwater.”

In 2019, it was reported that British bank customers lost more than £9.1million in SIM Swap scams over the last five years. In that time,  4,495 people fell victim.

Other countries fared worse. In 2018, the South African Banking Risk Information Centre (Sabric) reported 13,438 incidents in 2017.

The messaging ecosystem is taking action. Banks, MNOs and industry aggregators are using a combination of technology, shared practice and consumer education to tackle the problem.

As part of the Fraud Management Work Stream of its Future of Messaging Programme, MEF hosted a webinar to discuss SIM Swap and the best ways to tackle it.

 

The speakers were:

  • Allister Fraser – BT/EE, Senior Product Manager
  • Fabien Delanaud – Myriad Group, CEO
  • Willem Marais – Bank security consultant, South Africa

Here are the highlights…

SMS is not the problem

It’s important not to confuse the medium of SMS with the crime of SIM Swap fraud. Allister Fraser said: “SMS is a great tool for authentication. It works out of the box on all handsets, and isn’t susceptible to malware. There are no costs for banks in terms of extra hardware or infrastructure. So let’s not throw the baby out with the bathwater.”

Combating fraud is a process – because the fraudsters never stop

Regrettably, criminals work hard to maintain their activities. This is why, said Willem Marais, banks and MNOs can never stop looking for new types of protection. “We are always working with operators. But sadly the fraudsters evolve with us. From my experience we have a week until they have a workaround for most measures.”

Social media helps the hackers

Fraudsters looking for personal information with which to deceive an MNO employee can find plenty on social networks. Delanaud said: “Birthdays, your mother’s maiden name, place of birth – it’s all on social media. Fraudsters are very convincing. They will find this information and use it to trick people.”

Podcast >

Or Listen on

Spotify Logo Apple Podcasts Logo Breaker Logo Google Podcasts Logo Overcast Logo Pocket Casts Logo RadioPublic Logo

Network APIs are working well to reduce SIM Swap fraud

One effective anti-fraud measure is the network API. Banks can use it to check how recently a SIM Swap was made.

Fraser said: “In the UK, we can now give a date and time stamp on a SIM Swap. So if a person requests a big bank transfer and the bank can see that the SIM was swapped 20 mins ago, they can say ‘whoa’ and make further checks.”

Delanaud added that Myriad has seen how effective network APIs can be in addressing SIM swap fraud. “But the challenge is to implement it with all operators across the world,” he said.

We are always working with operators. But sadly the fraudsters evolve with us. From my experience we have a week until they have a workaround for most measures.”

When SIM Swap fails, fraudsters try to dupe the victim

Regrettably, fraudsters don’t always have to steal a person’s SIM to acquire a person’s one time passcode (OTP). Instead, they can just ask them for it.

Fraser explained: “If a criminal already has a person’s bank details, they can call and pretend to be from the bank. They’ll say the account has been hacked and that they are sending over an OTP. At this point the victim is in a panic and just reads the code back to the fraudster. That’s really tough to stop.”

Willem Marais added: “We’ve seen some criminals move to this tactic. It requires a lot of skill, but unfortunately it does work.”

SIM Swap fraud is probably under-reported

It’s difficult to make an accurate assessment of the scale of SIM Swap fraud. Naturally, stakeholders do not want to discuss the problem in too much detail. However, Allister Fraser believes it may be understated. “Banks aren’t going to be that forthcoming about this. The £9.1million UK figure is probably too low.”

Fabien Delanaud agreed, and added that individual losses can be very high. “When fraudsters use social engineering to access personal details and a Sim Swap hack, the amount of money that’s lost can be huge. In the US, there have been losses of millions in the case of hacked cryptocurrency accounts.”

USSD offers an effective method for authenticating

USSD is a useful alternative to SMS since it provides an out-of-band authentication. With USSD the authentication is not done over the same (potentially compromised) channel as the transaction. It also provides a more integrated experience.

This is the method Myriad uses to provide a real time check. “We don’t send an OTP, we just ask for a yes/no confirmation,” said Delanaud. Another benefit is that USSD messages are real time and not stored. Therefore Myriad’s technology ensures these messages cannot be accessed by “compromised” people inside a network operator or bank.

Tim Green

Features Editor, MEF Minute