It’s time banks face up to the SIM swap fraudsters
We have heard about customers of Halifax, Nationwide, NatWest and most recently TSB being victims of Internet banking fraud being caused by the SIM swap – some account holders even watching the money in their account disappear before their eyes. SIM swap fraud is not new and there are ways to protect against it. So what is this fraud, why are banks vulnerable and how can they prevent their customers from being at risk of SIM swap fraud through the use of alternative technologies, such as facial verification, that are now available?
The Internet has transformed the way we do banking. But the convenience of being able to transact instantly wherever we are has also brought additional challenges, especially when it comes to making payments to third parties. Because electronic payments happen in real-time, money gets transferred as soon as the instruction reaches the bank. Hacking a bank user’s password became a lucrative activity that could be conducted from the comfort of the fraudster’s den. To counter this threat banks had to implement additional methods of verifying that the real account owner did initiate the transaction. To do this, banks introduced a second factor of authentication when making a payment or setting up a new beneficiary – often abbreviated 2FA, short for 2-factor authentication. 2FA comprises two separate factors – typically something you know (i.e. your internet banking logon and password) and something you have (i.e. some kind of physical token).
2-factor authentication (2FA)
It is hard to believe that in the early days of Internet banking, to carry out for 2FA people were sent a list of code numbers through the post; these were entered on the screen when making a payment transaction. Over time these were replaced with digital tokens. Some required you to read and enter the number on the synchronised counter, others required a card to be inserted into a calculator-style reader and implemented a process of challenge/response. The banks were always under pressure to balance security and convenience – unless a device was small enough to be attached to a key ring people would not carry it with them and would not have it at hand when they needed to make a payment.
In the past decade with the widespread proliferation of the mobile phone, mobile devices, or more precisely SIM cards, have become used as the second factor – the something you have. They are both cost effective (token devices do not have to be sourced and sent through the post) and convenient (separate devices do not have to be carried around by the customer). When people make a payment on the internet, a code gets sent by SMS to their mobile which has to be entered into the Internet session. With this additional safeguard a fraudster would not only need to know the victim’s Internet banking credentials but also to physically have possession of the victim’s phone in order to authorise the payment. The need for physical possession of the mobile handset prevented this from being a scalable attack – the fraudster would have to leave his den, be in the proximity of the victim and risk being caught stealing.
Risks of using SMS as 2FA
This served to secure internet banking until fraudsters started perpetrating the SIMswap. Instead of stealing the phone from the victim, armed with name and mobile phone number, the fraudster would simply call the mobile operator purporting to be the victim, claiming that they have had had their phone stolen and requesting a new SIM. The fraudster may even request that the number be ported to another similar SIM in their possession, removing the need to post a replacement SIM to the victim’s home address. Immediately this new SIM is live, the fraudster will receive the 2-factor bank authorisation codes.
SIM swap fraud
A chain is only as strong as it weakest link. The use of the mobile phone for the second factor means that banks are dependent on the secure processes of the mobile operator when someone changes their SIM. To a mobile operator may it may not seem significant when they respond to a request by a customer for a SIM swap to replace a lost o stolen SIM card, but in so doing they may inadvertently be letting a bank fraudster in by the backdoor. Moreover this is a scalable attack and can be triggered by the fraudster wherever they are without the risk getting caught stealing the phone from the victim.
Because of the potential impact to a bank’s customer of using the mobile phone as second factor of authentication, a SIM swap should be treated with the same degree of caution as changing the correspondence address for banking. A SIM swap should be protected by another factor of authentication when it is carried out. What processes could a mobile operator use to verify the authenticity of the account owner during a SIM swap? When a customer requests a replacement SIM, a mobile operator should require the customer to re-present their identity credentials at a store to be checked by staff before the new SIM is issued. If the customer cannot get to a store, they should be required to verify themselves with an online verification service like Selified.
Protecting against SIM swap fraud with facial verification
Selified’s 2FA identity verification service has been used by forward thinking Fintech companies to mitigate this risk and to give a seamless customer experience. There is more information about Selified 2FA here.
A bank looking to prevent its customers from being at risk of SIM swap fraud, should use the facial image as the second factor in 2FA when making a payment to a new beneficiary. If the bank captures the facial image during account opening, then the facial likeness comparison can be made against that image. If not, then the facial comparison can be made in real-time against their picture ID.
In summary, SIM swap is a significant risk to banks because the mobile phone has become the de-facto second factor of authentication for many banks. For a fraudster, getting a mobile operator to swap SIMs means that they will now receive the all important authentication codes for the victim’s online banking. The bank will not know the SIM swap has taken place and will continue to send authorisation codes when requested. The customer will not know anything has happened either. They will only will realise the SIM has been changed when their handset goes dead. Even if the victim had the presence of mind to call the bank before their mobile operator, it will be too late – the money will have been taken as soon as the swapped SIM was activated. There is no longer any excuse for banks to be susceptible to SIMswap fraud. Selified provides the best second factor of authentication, something you are, and does not expose banks to the risk of SIM swap fraud.