With T-Mobile recently falling victim to a major SIM swap fraud attack and millions of other consumers still being affected by similar hacks, there is now an urgent need for more robust authentication and verification methods that guard against the ongoing threat posed by SIM swapping.
The coronavirus pandemic has seen a large number of cybercriminals and hackers alter their focus, exploiting the uncertainty experienced by billions across the globe. The last few months have seen much of the focus drawn to consumers, who have spent much more time online and on their mobile devices than before. As a result, this period has provided the perfect climate for hackers to target telecoms organisations.
The dangers of SIM swapping
SIM swap fraud involves hackers succeeding in taking control of a user’s mobile number by tricking a mobile network into transferring the number to a SIM in their possession. If executed successfully, the hacker is able to use the SIM to gain access to sensitive data, including online banking information, account details and digital currency wallets. Since 2015, this type fraud has increased by a staggering 400%.
In addition, this increase in cybercriminal activity puts consumers in a position of heightened vulnerability, who are arguably even more at risk of being scammed as lockdown weariness sets in. Whether it’s through SIM swap or other methods such as phishing emails, malware-laden mobile apps, SIM swap fraud or convincing social engineering ploys that con people into giving up credit card or login details, cybercriminals are poised to act as soon as the opportunity arises.
To combat these issues, more needs to be done to evolve our approaches to identity verification.
Out with the old…
SMS one-time passcodes (OTP) have generally been an effective way of achieving a secure and convenient customer experience, as they provide a good level of security while reducing reliance on outdated methods such as static passwords. However, as fraud methods have become more complex over the years, there are now ways to bypass OTP. SIM swapping is one key way this can be done. The need to wait to receive a code and then go through the process of entering it also adds an element of friction, which is something that should be reduced where possible.
In with the new
With online interactions set to dominate and the mobile phone now ubiquitous in our daily lives, organisations need to leverage this unique relationship each consumer has with their mobile, and use this data to draw intelligence that can be used to accurately verify whether an attempt to access an account is genuine.
Organisations are able to verify a customer by analysing insights from the behaviour associated with a user’s phone number. When a person uses a phone regularly and over a long period of time, clear patterns that are unique to that person emerge. If a company then spots unusual behaviour, this can be immediately flagged as potentially fraudulent. All of this can be done behind the scenes, at no cost to customer convenience.
Techniques like this can also be employed in areas such as auto form pre-fill, which automatically fills online application forms with verified information from authoritative sources. This helps further build customer trust, by guarding against fraud while avoiding making the customer experience too cumbersome.
Banishing the spectre of SIM swap
Building trust between business and customers is vital, and maintaining a positive, secure customer experience is key to making this happen. However, SIM swap remains a major issue, as the recent problems with T-Mobile have shown. As we move into an increasingly digital future, it is time that more traditional verification methods were supplemented with new approaches. Gaining a more comprehensive understanding of customer behaviour and using this to inform a security strategy is one way to go.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.