SIM swap fraud has evolved in the last two to three years, according to Nuance Chief Fraud Prevention Officer Simon Marchand. What used to be a part of usage fraud schemes with little impact on telecoms has evolved and is now part of much more complex fraud schemes against consumers.

SIM fraud honeypot has gotten much bigger

“By now SIM swap fraud has evolved into a method to intercept two-factor authentication messages and empty out banks accounts and crypto wallets held on bank apps by end-users,” Marchand says.

Telecoms’ vulnerability to SIM swap fraud makes sense because it mimics how their businesses run regularly and are structured. “[Legitimate SIM swap] is a very standard operation like changing an address,” says Marchand. He estimates that telecoms in Canada experience 20,000 to 50,000 SIM swaps per day with the absolute vast majority of them being legitimate.

When crime still pays for the good guys

Stopping these small-time fraudsters by adding multiple active identity authentication steps as part of their know your customer (KYC) process is not necessarily in the telecoms’ own financial best interests.

“If you add in the friction to a legitimate SIM swap you are pretty much ruining your customer experience because that is the only time the customer is calling you,” says Marchand. That means the telecoms are willing to take more risks. The potential losses are so small in comparison to the cost of bad customer experience.

Meanwhile, most mobile operators have contracted out their call center to third-party operations all around the world, including the Philippines, India and the cheaper parts of North America. These cultural and geographic differences make it very difficult to implement new processes or control the quality of the KYC identity process. This can especially be true if your agents aren’t your employees and you cannot keep an eye on their behavior at all times.

Humans are the most vulnerable step of the process when it comes to SIM swap fraud, agrees Richard De Vere, a director of Anti-Social Engineer a UK-based penetration testing company that helps customers prevent breaches. In the UK, the requirement to provide number portability (switch sims) has been forced upon cell operators by regulators and they’ve done this in the cheapest possible way without too much thought for security implications.

Corporate responsibility beyond fighting drug cartels

Most telecoms have taken a while to understand that they are not just defending themselves from fraud but have also become weak link in a chain of defenses against online fraudsters hitting other institutions. The telecoms provide their own service, and conduct their own credit checks to estimate the likelihood a customer opening a bad account that will default and/or steal a handset. However, they are examining and accepting risk only for their own possible losses and are not acting as guarantors of corporate social responsibility even if they are de facto treated as such for when it comes to making sure their services are not used for criminal and or terrorist activities.

Marchand says that perceptions began to shift amid a changing regulatory environment in North America, after Canada implemented a Privacy Act in November 2018. Sim card swaps are now perceived in Canada as a privacy issue that must reported to the privacy commissioner. Failure to do by a telecom incurs a fine of up to CAD 100,000 ($75,000) per case. That means that telecom must not only look at their own risk management in terms and customer acquisitions. They must also play a much bigger role of protecting their own customers and, by extension, customers’ other assets and accounts from being defrauded.

De Vere, the UK-based anti-social engineer, agrees with the need for legal enforcement to impact commercial decisions. “People often forget that a business doesn’t have compassion or empathy, their main objective is to make money,” says De Vere. “Imposing a financial penalty will mean [the telecoms] will look at this through the eyes of a business.”

Unfortunately, both Marchand and De Vere say that neither of them is aware of any significant fines or regulatory enforcement regulatory actions against telecom violators until now.

“What is clear is that governments are starting to take actions to make the carriers responsible and others like them for protecting their customers’ information,” say Marchand. “Because now… your phone is such a major part of your identity and used in multiple aspects of your life.”

Adding layer of voice biometrics to security

Nuance fights sim swap takeover attempt to a large degree by using a voice biometric signature from the end user. This passively (i.e. frictionless) validates the user identity when a SIM swap is required, although it is not always enough. However, they now include many another non-voice data elements in several solutions on the market, such as the Security Suite solution sold by Marchand’s employer.

Voice biometrics by itself, in theory, should be really effective in preventing SIM swap fraud says De Vere, a director of Anti-Social Engineer. “In reality, accuracy levels are turned down to avoid consumers running into problems when accessing their accounts,” he says.

The result is that voice biometrics should and increasingly is one of the important solution layers for preventing SIM swap fraud, but not the only layer in place at telecoms and FIs. Additional layers of authentication whether passive or active are still required.

Fraudsters filling in the SIM swap gaps

What is true is that fraudsters are moving fast to exploit this SIM card gap in the secure identity chain. Marchand estimates a two-to-three year evolution in SIM swap fraud. However, experts at a major anti-fraud vendor that requested to remain anonymous informed About-Fraud.com that there are already fraudsters sites set up to enable criminals to take over fake app accounts using SIM swap for several years now.

For example, there is a website where people ran register specific phone UK numbers with a popular dating app, and send the one-time password (OTP) and then put the OTP on the website. This creates a virtual SIM inbox in which criminals can use it to register with a fake phone number and a fake account on other sites for a variety of purposes including catfishing.
Moreover, this one app account can and is being freely used online by a lot of other users, with multiple fraudsters taking advantage of one account.

“I can go on [the app] using either name or even just phone number and say this is my number,” says an account director at fraud vendor with major offices in Europe. “I will receive a password for re-setting the number and I can log-in to the account. It’s a way to get around two-factor authentication (2FA).”

However, SIM card parameters are other increasingly available data points that can be used to catch the fraud. “Knowing when a user activated their current SIM card (or last ported their number) could stop the attack,” said the anonymous vendor’s solutions architect

Using SIM activation timestamps

By using a SIM activation timestamp, any business can stop catch, deter and prevent SIM swap fraud. Notably this applies to banks, cryptocurrency wallets, social media, and all forms of e-commerce companies where customers have high-value accounts are most at risk,

The problem in acquiring the data to fight sim swap fraud is the enormous bureaucracy that comes with buying data from large scale enterprises, according to the solutions architect. Basically, when you want to collect data you must negotiate with every carrier in the country, and only sometimes they offer high value data points for preventing fraud.

“We have porting status and porting history data from telecoms in some countries,” says the solutions architect. However, she admits, her vendor’s coverage is still far from complete and global in this respect. It’s an ongoing project and work in progress there.

“Any business can benefit from monitoring exactly when a customer’s SIM card was activated to block such fraud,” says the account director. “Not only would you be protecting their customers, you could be shielding yourselves from costly lawsuits that could cause permanent damage to your brand. A lawsuit is just the beginning of your problems as the reputational damage to your company accumulates.”

Winter is coming in phone identity

The bottom line is that telephone identity data is becoming more valuable as technology spreads both for traditional FIs and underserved markets and the amount of damage that stolen SIM card accounts can do multiplies.

Whether you find the right solution with Nuance, other third party vendors or just focus on better ways to improve in-house data controls, the battle over the smartphone has now begun. Be prepared before winter arrives.