SIM-swap fraud is alive and well

Johannesburg, 14 Dec 2021

Fraud involving SIM-swap has been around for many years and is not going away. In fact, these incidents have increased 91% year-on-year when looking at digital banking fraud across all platforms.

This was revealed by the latest figures from the South African Banking Risk Information Centre (SABRIC), and begs the question: Why, with all the advancements in technology, are we still dealing with this fairly unsophisticated yet rampant scourge?

According to Lincoln Naicker, product owner at Entersekt, some international reports show close to 100% year-on-year growth in SIM-swap fraud, and SA is no different.

“The most important thing to recognise is that SIM swaps have a very important part to play in the mobile network industry. Mobile network operators (MNOs) sit at the centre of an extended ecosystem and impacts many other sectors, not least of all the financial one. And, although there has been a seismic shift in the technology in mobile apps and other digital channels, the SIM has remained fairly unchanged.”

He says SIM-swap fraud remains a process that requires manual intervention and uses social engineering at its core. Another issue is that, currently, customers are being asked to challenge a SIM swap after the fact, rather than the MNOs proactively reaching out to the client to verify that the SIM-swap request was a legitimate one before proceeding.

Better regulation

According to Naicker, the US regulator is at the vanguard of changing this practice and is proposing new requirements for phone carriers to authenticate an individual’s identity before transferring their number to a new device.

This is necessary because the pandemic accelerated digital and mobile banking, and with over 90% smartphone penetration, everyone is reliant on mobile networks, he adds.

And while better local regulation is needed to effect change, the current method is low-friction and offers MNOs a better customer experience. “MNOs want to keep the customer experience as smooth as possible. If you put too many roadblocks in the path of the cellphone owner, they may simply migrate to another provider and so the incentive to add additional security layers is not immediately obvious.”

He issues a caveat: “However, when it comes to reputation, SIM-swap fraud will eventually impact your bottom line.”

For Naicker, a collective intervention may be the answer, as minimising SIM-swap fraud requires a multi-layered solution. The first issue that needs addressing is how MNOs onboard customers.

Co-operation is key

“We need greater co-operation between the MNOs when it comes to onboarding. The verification process should be augmented using other technologies such as voice biometrics. If all players could agree on better security at this early stage, we would already have made progress,” he says.

The next issue is organisations’ ongoing reliance on SMS OTPs that are not secure and criminals are aware of this.

“We have seen dramatic results at companies where we have helped them remove SMS OTPs as part of their authentication offering. We should remember that the industry rolled out SMS OTPs when we realised that username and passwords were not sufficient. But now we know that SMS OTP should not be used for anything tied to personal or financial information. It’s simply not strong enough.”

However, this cannot happen overnight, and in the shorter term, organisations can augment the authentication process with SIM-swap detection technologies or use mobile apps that rely on device integrity.

Moreover, beyond industry co-operation, regulators need to look at introducing guidelines and standards that will address SIM-swap fraud at the entry point, he adds.