In response to today’s Krebs on Security story Busting SIM Swappers and SIM Swap Myths detailing this intricate type of mobile fraud and how one victim lost $100,000 when his mobile number was hijacked, mobile security experts with OneSpan offer information on how institutions can protect their customers from this threat.
Will LaSala, Director Security Solutions, Security Evangelist at OneSpan:
“Sim swap fraud is extremely dangerous. Users should be wary by now about using SMS as their primary form of two-factor authentication. There are many well publicized problems with SMS as a two-factor solution. From a financial institution standpoint, many have already started to make the switch to Mobile PUSH notifications, which are inherently more secure than SMS. Mobile PUSH notifications have the added benefit of being able to be protected with application shielding technology and give banks a stronger interface for doing business with their customers. Consumers should check to see if their bank already offers a mobile app and then enable PUSH two-factor authentication as soon as possible while disabling SMS two-factor authentication. SMS is a good method for notifying users of account notifications, such as account modifications and transactions, but it should not be used to allow privileged access.
“Many financial institutions are balancing the security of a solution versus the acceptance of the solution across their user base. Ease of use versus security is a classic two-factor hurdle. In today’s security landscape, banks should be looking at implementing security solutions that offer the correct level of security at the precise time. Banks can use data from many different sources throughout their interaction with their customers to allow for a better view of what the bank’s perceived risk level is. Once they have identified the risk level, they can make accurate decisions as to how to mitigate that risk. For example, does it require a PUSH notification, can a transaction simply just be processed without additional user interaction, maybe it requires an easy to use biometric like fingerprint, or maybe a more secure biometric like face or voice. All of these technologies should be on the table for a bank to use at any point within the journey of their digital users.”
David Vergara with OneSpan offers advice on preventing SIM swapping fraud, in response to recent events noted in today’s Krebs on Security story Busting SIM Swappers and SIM Swap Myths.
David P. Vergara, Head of Security Product Marketing at OneSpan:
“Sim swap fraud is a complex but high-impact exploit – one that puts users on alert about just how ineffective and dangerous SMS is as a primary channel for two-factor authentication. Many financial institutions have begun migrating to or have already moved to Mobile PUSH notifications, which are far more secure than SMS. Mobile PUSH notifications are able to be protected by application shielding technology, for further security.
“Many banks are implementing security solutions that enable them to present a precise level of security validation when needed, scoring a broad array of customer interaction data to inform them of the risk for each transaction. They determine whether a transaction can be completed without further user validation, whether the situation warrants a PUSH notification. In some cases, an easy-to-use biometric such as a fingerprint, or perhaps even a more secure biometric such as face or voice validation can be applied. Such multi-layered strategies only further reinforce that SMS as an authentication channel is not just obsolete, it’s unnecessarily risky.
“If their institution offers it, consumers should enable PUSH two-factor authentication as soon as possible and transition away from SMS-based authentication. SMS is fine for account notices, but it shouldn’t be used for privileged access and transaction permissions.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.