Stemming The SIM-Swapping Tide In Fraud Friendlier Times

While being the victim of fraud is never good, there is something to be said for at least being able to identify where exactly one went wrong.

Clicked the wrong link in an email, trusted the wrong authoritative voice on the other end of the phone, downloaded the wrong app hiding a malicious little piece of malware. It doesn’t make the resulting data theft any more pleasant, but at least one can hope to learn something and resolve to do better in the future.

SIM swapping fraud, Boku CEO Jon Prideaux noted, managed to take that bad experience and make it worse in that there is no mistake a customer makes to become a victim of SIM swapping fraud — from their perspective, their phone simply stopped working one minute, and an hour later their bank account was empty.

“The scary thing about the SIM swap fraud is it’s not like the victim has done one thing wrong,” Prideaux said. “They never clicked on a bad link, never sent anything to a fake site — they were just sitting with a phone that stopped working one minute after working the last. The problem was someone at the telco who was fooled by the fraudster into reissuing the SIM, which was then used to take over their number and their entire life.”

Those fraudsters, he said, aren’t going away — in fact, in the era of the coronavirus, they are likely to increase alongside all the other fraudsters. With little else to do and the skill and technology to do it with, Prideaux said, fraudsters won’t let their idle time go to waste. With the wide array of consumer data already available for purchase on the dark web in particular, they’ve got the means to commit the crime and the time on their hands to do it.

The good news, Prideaux said, is the technology exists to cut off this fraud at its roots — if firms can think about looking differently, and a lot more closely, at the phone’s data beyond the phone number.

Breaking Into The Two-Factor Authentication Scheme

Prideaux noted that unlike many other types of fraud that fraudsters perpetrate fairly indiscriminately, SIM fraud generally isn’t distributed that way. It mostly focuses on high net worth individuals whose bank accounts will represent a pretty big haul if emptied. SIM swapping fraud is labor-intensive — it requires data gathering of a fair amount of information at a level suitable to con a customer service representative into assigning a new SIM to their phone number.

“What the criminals will do is select somebody who they think is likely to be a high net worth individual, which is part of the reason why you occasionally do see the celebrities targeted by these frauds,” Prideaux said. “Obviously they’re not targeting them because they’re celebrities. They’re targeting them because they’re high net worth.”

The other slight advantage the good guys have over the fraudsters here is the clock. The reason two-factor authentication uses SMS messaging to send temporary passwords is that phones are something consumers almost always have on them and interact with often. Once a consumer’s SIM has been pirated, Prideaux noted, the fraudster has a fairly short window as to when they can use the phone number to access a consumer account before that consumer notices and works to resolve the issue with their phone.

The problem isn’t the phone per se, it’s the temporary passwords flowing over SMS text messages as the final factor.

Taking A Deeper Look

That a customer was simply able to receive a one-time pin and use it doesn’t prevent fraud in a world where SIMs get hijacked or numbers get ported to new phones by fraudsters. The solution to that, which Prideaux said Boku employs, is to take a closer look at that phone interaction to determine exactly how long that SIM has been associated with that phone number. If it is a couple of years, there is likely nothing to look at there.

If, however, the phone number moved to a new SIM an hour ago and is now being used to initiate a high-value bank transaction, he noted, that is probably worth flagging — but it is not necessarily worth stopping in its tracks.

“There are a lot of perfectly legitimate reasons why a SIM swap might have happened,” Prideaux said. “People really do lose their phones or port their number to new providers all the time. It is not necessarily a reason to deny a transaction.”

It is reasonable, however, to perhaps pause and introduce a little more friction to the situation. That might mean following up on a secondary contact channel to make sure it is legitimate or putting a temporary hold to investigate further. What it attempts to do at its basic level is take out the SIM fraud at the root by making it harder for fraudsters to fly under the radar by hijacking a phone and then exploiting a brief but potent time window to do a lot of damage to unwitting and innocent consumers.

With millions of consumers at home and online — and perhaps more likely to click links they otherwise might be too cautious to notice, and call center employees at home and separated from a lot of the infrastructure and support tools they’ve had — fraudsters are looking at an environment that is more target-rich than it has ever been.

“There are now a lot of people around the world sitting around with time on their hands with dangerous skills,” Prideaux said. “And then people are endlessly resourceful, so we have to be as well in fighting them back.”