SIM Swap fraud cases must get the banking and mobile industries talking, says Aspect Software

Mobile expert urges banks to stop using ‘easy’ security methods and to work with network operators to innovate new detection and prevention methods

17/05/16 London, UK

Last night, Radio 4’s You and Yours programme once again covered the topic of SIM Swap fraud, a type of phishing that involves the fraudulent cancellation and reactivation of a victim’s SIM card to access personal and financial data. Keiron Dalton, a mobile security expert from Aspect Software, believes that the answer to helping combating this type of fraud is to cease using vulnerable SMS for verifying financial transactions, and to encourage greater collaboration between the telecoms and banking industries to leverage existing data assets.

Although no official figures have ever been released to detail the total damage that SIM Swap is causing victims in the UK, it is thought to be growing, due to increased public awareness and anecdotal evidence. In April, Halifax was reported to have had ‘hundreds’ of SIM Swap incidences every day.

“Case studies of SIM Swap incidences – particularly from the UK and southern African regions – can be found online with very little effort,” says Dalton, Senior Director of Customer Innovation and Strategy at Aspect. “But it isn’t a widely discussed problem yet, primarily because most banks find detecting and preventing it a huge challenge.”

Dalton said: “The case study used for You and Yours highlighted an important point, because the victim was defrauded twice using SIM Swap. Despite introducing a number of measures that seemed to be all human-led – for example a secret word – the fraudsters were able to cancel his SIM card once again. Fraudsters pride themselves on the art of persuasion, and despite the number of SIM Swap stories told publically in the last couple of years, it seems to be pretty unchallenging to break an advisor’s training and bypass standard security measures. There is a lot to be said for eliminating the uncertain and instead, introducing a set of standard and robust checks for identity – such as voice biometrics – for anyone who calls into a network’s contact centre.

“Even if these checks are implemented, we have another vulnerability – the one-time passcode via SMS for verifying identity during a financial transaction. This is how fraudsters can transfer large amounts of money from a victim’s bank account, because they are now the new recipients of the passcode. Sending an SMS to a phone means the current landscape is about as attractive as it gets for the average mobile fraudster, as there are a number of ways in which criminals can obtain people’s identities and personal data. This makes mobile the gaping hole in an otherwise well-established firewall of multi-factor authentication methods that are more sophisticated than ever before,” he said.

Dalton continued: “The other problem is that when a bank discovers a mobile fraud threat through whatever means, it immediately gets to work to repair any damage that might have been incurred as a consequence. It doesn’t normally share information about the incident with the wider financial community so that it, too, can prepare for and deal with similar incidents. There is also little collaboration between banks and the networks when it comes to dealing with fraud.

“This is a missed opportunity. Banks and networks often have access to sophisticated insight into how people log their information and use networks. By working together, and through using sophisticated fraud detection technologies, banks can protect their accounts and customer data. This should include deploying multi-factor authentication technology that does not disrupt the customer experience – such as imperceptible SIM Swap, divert detection and location checks – to ascertain customer identity. In this way, banks can also avoid the frustration of having to block the bank accounts of people with legitimately reactivated SIM cards, and networks don’t need to cut anyone off,” he concluded.