SIM-swap fraud – the gaps that need to be filled

No photo availableBySchalk Nolte
4 min read

Digital banking fraud is a growing concern for all of us, and few fraudulent exploits make more news than illegal…

schalk-nolte_article_full

Digital banking fraud is a growing concern for all of us, and few fraudulent exploits make more news than illegal SIM swaps. SIM-swap fraud is gaining enormously in popularity internationally. Eliminating it requires an understanding of the approach cyber criminals take and the vulnerabilities they exploit.

The ins and outs of SIM-swap fraud

SIM-swap fraud emerged fairly recently as fraudsters adapted to the added security layer provided by SMS-based authentication, which commonly take the form of a one-time password (OTP). Before banks started using SMS OTPs, fraudsters made use of tactics such as phishing to gain access to consumers’ usernames and passwords. This gave them access to accounts and the ability to fraudulently transfer funds. SMS-based authentication, however, meant that they had to add a second phase to their attacks.One approach they have taken is to obtain personal information about an individual (names, ID numbers, physical addresses and other details) through a scam email or SMS or even through social media.

They then approach a mobile service provider with sufficient information to misrepresent themselves as the mobile number owner and request a SIM swap. (They can also recruit dishonest employees of the mobile operator in a more direct but riskier plan of attack.) Once access has been gained to the mobile number, it is possible to intercept the second factor of authentication, such as the OTP.

Plugging the gaps

There is much debate over whose responsibility it is to prevent this kind of ploy, and who is liable to remunerate those who lost money through it. The reality is that both consumers and service providers have a role to play.

The consumer perspective

here are a number of simple precautionary measures that should be taken into consideration when interacting and transacting online. Avoiding accessing a site via a link contained in an email and instead typing the URL of the desired site into the browser is a golden rule, particularly when dealing with digital financial services. Additional strategies include ensuring the site being used is secure (indicated by the lock symbol and https:// prefix), checking a site’s security certificate, activating two-factor authentication on all sites that support it and using a variety of usernames and passwords across different sites.

The responsibility of business

While consumer education is important, it behooves businesses and financial institutions to do everything they can to protect consumers from falling victim to fraudulent schemes such as SIM swaps.Two-factor authentication is absolutely a step in the right direction. However, considering SMSs are easily intercepted, OTPs and similar authentication techniques have been vulnerable from the start. If you are going to use the mobile phone for user authentication – and, indeed, it is fast becoming the preferred means of doing so worldwide – all communication to and from the device must be encrypted from end to end. In addition, the device receiving the relevant communication should be uniquely identified using a digital certificate protected on the phone, rather than through easily obtainable information such as the mobile number.More generally, the focus should always be on staying up to date on technological developments and emerging attack vectors, the better to anticipate future threats and counter them they become a major headache.

——————————————-

The Author – Schalk Nolte is the CEO of Entersekt, the first company in the world to provide transaction authentication on mobile phones using certificate technology, securing millions of transactions each day and enabling financial institutions and other enterprises to communicate interactively with their customers through a mobile device.Having worked at several large telecom companies, with a focus on technology and network deployment as well as on building the teams to put these into practice, Schalk joined Entersekt as the CEO in 2009, bringing with him extensive experience and a wealth of knowledge of the mobile technology sector

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co