Happening Now: Earthwise Summit 2024
How banks and telcos can stop sim swap fraud, avoid financial losses
Security officials display 500 already swapped Sim cards. Sim swap fraud generally targets a weakness in two-factor authentication (2FA) and two-step verification.
On August 30, 2019, Twitter co-founder and ex-CEO Jack Dorsey became the most notable victim of one of the fastest-growing cyber threats today. His Twitter official account was hacked, shockingly spewing a string of offensive content for 30 minutes before the tweets and retweets were deleted.
Twitter said the phone number associated with the account was compromised when hackers contacted the service provider and did a sim card change on behalf of Dorsey. They employed an increasingly common and hard-to-stop technique that can give them unfettered access to a wide array of the most sensitive digital accounts, including email, social media and financial accounts.
In sim swap fraud, scammers gain access to a mobile phone account and proceed to activate a sim card on an existing phone number. It generally targets a weakness in two-factor authentication (2FA) and two-step verification. The second factor is a text message (SMS). The scam exploits the ability of sim cards to be ported seamlessly by mobile phone service providers between devices. Carriers ordinarily use this feature when clients purchase new phones, lose their gadgets, switch service or experience theft.
80pc sim swap attempt successful
Sim swap is one of the most successful types of cyberattack. A 2020 Princeton University study report shows an alarming 80 per cent of sim swap attempts are successful and they are on the rise.
“An empirical study of wireless carrier authentication for sim swaps” found that, despite advances in technology, sim swap fraud thrives as fraudsters adapt novel techniques. The researchers said the attacks allow criminals to intercept calls and messages, impersonate victims and perform denial-of-service (DoS) attacks and have been widely used to hack into social media accounts and break into bank accounts.
Wave of cyberattacks
The overriding goal of this criminal activity is financial gain, often in the form of stealing bank and credit card information.
Partnering with telecommunication companies, most banks have integrated mobile banking services into their systems in a bid to not only cut costs but also afford customers ease and convenience in transacting. But mobile money transfers are suffering a wave of cyberattacks, mostly through sim swap fraud.
Kenya is a fertile ground for scammers. On May 30, the Daily Nation reported how a medical lab scientist lost Sh2.6 million when hackers made bank withdraws through a sim swap. On May 24, it ran a story of a senior Nairobi police officer who lost Sh600,000 within six hours to sim swap fraudsters.
The fraud is global. The FBI says Americans lost more than $68 million (Sh7 billion) to sim swap attacks last year—which has risen exponentially since 2018, when it began tracking this threat. In the UK, the highest number of sim swap cases were recorded in 2018, with a cumulative loss of $3.65 million (Sh426 million) from 3,111 reported cases.
In Mozambique, sim swap fraud was so rampant in 2019 that the media questioned the integrity of banks and mobile telephony operators. Mobile firms provided the banks with a private application programming interface (API) that flagged sim swaps involving a specific number associated with a bank account over a predefined period. Most banks block transactions from a number that has had a sim card change pending further Know Your Customer (KYC) procedure.
Behavioural heuristics
Another technological solution is through behavioural heuristics generated by using machine learning to produce baseline patterns peculiar to a user—like usual times and places of operating, device particulars and amounts transacted. Any anomaly or serious deviation from the pattern is flagged as suspicious and subjected to enhanced checks, reducing the possibility of financial loss.
Financial institutions can also switch to a two-factor authentication method that does not rely on text messaging but uses some other token for identity proofing instead. An identity authenticator that uses sim binding—which verifies both the user and the device being used—can be quite helpful.
Mr Maosa is a banking and finance expert. [email protected] @ndegemaosa
