The Battle Against SIM Swapping
There are more people connected to mobile devices than any other communications platform—a whopping 5.1 billion, which is astounding considering that there are just under 8 billion people in the world.
So, is it any wonder that communications fraud continues to be a lucrative criminal business, affecting residential and commercial customers and driving up operating costs for carriers?
In 2019, the Communications Fraud Control Association (CFCA) conducted a comprehensive worldwide survey that identified historical trends and stark anomalies among leading carriers. Its findings showed that “compared to 2017, fraud losses as a percent of global telecom revenues grew 37 percent to $28.3 billion USD” in 2019.
Despite some operators’ increased measures to minimize fraud and reduce their losses, criminals continue to abuse communications networks and services. This is supported by the CFCA survey, which pointed out that a perceived lack of interest and understanding by law enforcement has led as much as 10 percent of the survey respondents to stop reporting fraud cases altogether.
It is not only law enforcement agencies but also the carriers themselves that are struggling to get a better understanding of communications fraud, especially in the United States. While 81 percent of respondents in the CFCA survey reported having more than 10 years of telecom experience, more than half of them have been in fraud management for less than seven years. Managing subscription and payment fraud PBX hacking, IP PBX hacking, and Wangiri can be daunting even for a seasoned cybersecurity expert. But one of the greatest threats facing United States carriers is SIM card swapping—an issue about which their counterparts in emerging markets have a great deal of knowledge.
How Emerging Markets Are Aggressively Managing SIM Swapping
SIM card swapping is sometimes referred to as simjacking, port-out scamming, sim splitting, or sim hijacking. But whatever name it goes by, it is a growing global threat and the latest trick up the sleeves of hackers looking to take over victims’ accounts. The GSMA, a group that represents the worldwide mobile communications industry, published a paper showing how aggressively SIM-swapping policies are being addressed in 155 countries around the world.
In some circumstances, these governments require mobile network operators (MNOs) to capture a user’s photograph, fingerprints, and other biometric attributes to complete SIM registration. Of these countries, 8 percent require MNOs to use biometric authentication processes when registering their prepaid SIM customers. In a few instances, MNOs are proactively introducing biometric authentication processes in anticipation of government mandates.
The GSMA categorized the mandates in three ways:
- Capture and Store: MNOs are required to capture and keep a record of a set of personal information about the SIM user. The required information varies from jurisdiction to jurisdiction. As of January 2020, about 81 percent (126 of 155) of countries mandating SIM registration follow the capture-and-store approach.
- Capture and Share: MNOs are required to capture and share the SIM user’s personal information proactively with the government or regulator rather than upon demand. As of January 2020, 6 percent (10 of 155) of countries mandating SIM registration follow this approach.
- Capture and Validate: MNOs are required and enabled to validate their customers’ identification credentials against a central government database (usually maintained by a government authority or regulator) or a credential held by the customer (such as a chip-based smart ID card). As of January 2020, 12 percent (19 of 155) of countries that implement SIM registration allow mobile network providers to verify customers’ identification credentials against an approved government database or credential to facilitate the validation process.
There is a clear role for the use of biometrics in a telecommunications environment because it helps create opportunities for digital and financial inclusion and places mobile devices at the heart of the campaign to reduce existing barriers.
But can mature markets learn from emerging markets when it comes to user authentication?
Taking a Hands-off Approach
While many telecoms in emerging markets are implementing proactive user authentication methods, telecoms in some mature markets, such as the United States, have been taking a “hands-off” approach, despite growing costs, consumer complaints, pressure from the House and Senate, and most notably, proven success in other parts of the world. “This is something where Africa is ahead of us,” says Allison Nixon, director of security research at security firm Flashpoint. “It’s something people have been asking for in the US, but no one has really moved forward to do it.”
“This is something where Africa is ahead of us,” says Allison Nixon, director of security research at security firm Flashpoint.
As the astronomical costs in punitive damages mount, however, this may change.
The United States, one of the largest countries hit with SIM swapping, saw a case in 2019 where AT&T failed to win a dismissal in a $24.8 million crypto SIM-swap lawsuit. The plaintiff, who is seeking $23.8 million in compensatory damages and a further $200 million in punitive damages, has claimed that an AT&T employee was complicit in a SIM-swap fraud. And AT&T is not the only carrier that has been accused of insider collusion—companies such as T-Mobile and Verizon have seen multiple cases involving employees accepting bribes from fraudsters.
However, fraudsters’ occasional bribing of employees is nothing compared to the prevalence of SIM swapping. Just ask Twitter CEO Jack Dorsey, who has been a victim of SIM swapping himself; in just 30 minutes, scammers seized his account to discredit him by posting tweets that included racial insults, expressed support for Adolf Hitler, and advocated desecration. Food writer Jack Monroe was another victim of SIM swapping, with fraudsters stealing 5,000 euros from his bank accounts.
In 2020, the Department of Computer Science and Center for Information Technology Policy at Princeton University released a research study, “An Empirical Study of Wireless Carrier Authentication for SIM Swaps,” that evaluated the security of the top five US carriers—Verizon, AT&T, T-Mobile, US Mobile, and Tracfone—and concluded all five “used insecure authentication challenges that could be easily subverted by attackers.” The study also found that “attackers generally only needed to target the most vulnerable authentication challenges because the rest could be bypassed,” and it illustrated the simple process by which SIM swapping occurs.
As more people communicate and conduct business on their personal mobile devices, the result of SIM swapping can be devastating not only for mobile customers and carriers but also for financial institutions. Recently, Javelin reported that “40 percent of all fraudulent activity associated with an account takeover occurs within a day” and suggested mobile phone jacking and SIM-swap fraud might be partly responsible for the massive increase. Its analysis indicated SIM-swap fraud increased from 380,000 attempts to more than 679,000 in 2020 alone.
How Operators Can Learn from Emerging Markets
When we closely examine GSMA’s mandates (capture and store, capture and share, and capture and validate), we can easily identify one common thread running through all three: each moves biometric authentication up within its cybersecurity hierarchy to where it is most vulnerable—at the human level.
In terms of SIM swapping, this strategy has two key benefits: (1) This technology is already available through an SaaS offering, and (2) it is the best defense against SIM swapping and thus protects both customers and the company’s reputation.
Emerging markets have used this predictability, along with other key learnings, to construct a policy framework designed to build consumer trust and develop a better relationship with identity-linked digital services.
The World Advertising Research Center estimates that by 2025, 72.6 percent of all internet users (3.7 billion people) will access the Web via a smartphone, and mobile banking is projected to top $2 billion, according to Business Wire. This makes viewing AT&T’s response to its failure to win a dismissal of the $23.8 million lawsuit against it—“It’s an industry issue, please contact the CTIA for more information”—as anything less than shortsighted and a demonstration of a lack of leadership. Yet the CTIA, the wireless association representing major telecommunications carriers, has been pushing back to tort any regulatory changes that could better protect consumers.
But how long can carriers push back? With many fintech companies now joining consumer advocacy groups, online retail giants and lawmakers, carriers may soon find themselves outnumbered.
Telecommunications operators have a vital role to play in lifting identification barriers because they can allow for the frictionless use of biometrics in strong authentication processes. They have an important function as both mature and developing markets build a web of businesses and services across mobile networks. Telecoms have a huge opportunity to participate in a solution that works for them.
Alternatively, they can do nothing and allow local and federal agencies to do their customers’ bidding.