Recently, we took our curiosity to twitter where we got a link to a publication by an expert in the banking industry. According to him, some retired couple in the US had lost a huge $70.000 to fraudsters through a SIM swap scum.
This incident seemed intriguing, since we are mobile users, bank account holders, and we often access our funds through either USSD or mobile banking.
Much has been going on behind closed doors…
Nearly 10 years ago, that is not what it used to be. Banking was a little bit secure. Wasn’t all about trust, or advanced security and long-lasting relationships with customers. Yet, the old banking has been destabilized by SIM Swapping. The criminal activity requires a bit of tech savvy to pull off.
If banking is all about advanced security and trust:
- How does a bank differentiate itself from its internal or external rivals to forge, especially now when banks are vying for market share?
- Are cutting-edge functionality or digital, user-friendly solutions sufficient to deliver a satisfying consumer experience?
- Should your clients learn this the hard way since you cannot guarantee 100% fraud protection in multi-player ecosystems?
What is SIM Swapping?
Subscriber Identity Module (SIM) Swapping is a type of fraud that involves stealing the SIM cards of people who are using another person’s mobile phone.Often, the SIM SWAP occurs in an SMS-OTP messaging ecosystem.
There are 4 participants in the messaging ecosystem:
- The Bank
- The Mobile Network provider
- The Messaging aggregator
- The end-user (consumer/client).
How Does the SIM Swap Scheme Work?
With that said, SIM swapping happens when a scammer contacts your customer(s). The scammer then tricks them into activating a SIM card that the fraudsters have. Once this occurs, the scammer gains control over their phone number. Anyone calling or texting this number will contact the scammers’ device, not your customer’s phone.
The fraudsters use this technique to get around restrictions that a mobile operator puts into place.
For example, the operator might limit the amount of time your customer can use a SIM card. And this brings us to phishing, which is the most common threat in cybersecurity.
The criminal actors typically use phishing, insider threat, or social engineering strategies to carry out SIM switch schemes. They pretend to be the victim and deceive your customer into changing their phone number to a SIM card in the criminal’s possession.
Surprisingly, the criminals mostly pay off an employee of a mobile carrier to carry out the schemes in order to change the victim’s mobile number to a sim card in their possession. They frequently trick the employees into downloading malware used to infiltrate cell carrier systems that perform SIM SWAPS using phishing methods.
There’s more to that…
After switching the SIM, the burglar redirects the victim’s calls, messages , and other data to the criminal’s cellphone ( Federal Bureau of Investigations). This enables the hacker to contact the victim’s email and other online accounts linked to their phone number with “Forgot password” or “Account Recovery” queries. Any mobile developer knows this.
Mobile app developers use SMS-based two-factor authentication to send a link or one-time pass code to the victim’s now-owned phone number. This enables the hacker to access their bank account(s). Moreover, the perpetrator takes control of internet accounts linked to your customers’ phone profile. They do this by using the codes to log in and change passwords.
What are the risks of SIM swapping?
SIM swapping can be very costly. Take the Kenya National Police Service, for instance. Detectives from the Central Police Station have arrested many suspects in connection with Sim Swapping cases targeting unsuspecting members of the public. Lately, the public has been experiencing increased theft of money through fraudulent banking activities.
In 2021, the Directorate of Criminal Investigations (DCI) reported that SIM swapping was the most common type of cyber crime in Kenya. The detectives established that many Kenyans have often been defrauded by the multi-faced gang. And the DCI has appealed to anyone who has fallen victim to the SIM SWAP syndicate to report such an incident to the DCI headquarters.
How to Save your Customers from Falling Victims of SIM Swapping?
Get a mobile banking app from a reliable and well-known vendor.
Here’s a list of features you should be looking for in a secure mobile banking solution:
- Sim swap detection capability
This enables you to check whether your customers’ devices are in unusual locations, or whether their SIM cards have been inserted into different devices. And an efficient mobile banking solution provides this contextual information at any time without your customers being required to actively use the authentication service. In particular, your mobile banking solution should enable the mobile operators to expose the following information:
- SIM swap, device change, call divert status, account status, etc.
- Lost or stolen devices.
- Location (network location in case GPS has been spoofed).
- Other indicators relevant in specific scenarios which can be exposed through the same interface.
This enables your team to assess the risk of:
- Abnormal behavioral pattern of the user.
- Changes in pairing relationships between device and SIM.
- Abnormal location of the user.
- SMS OTP
This is another important feature you should seek in a mobile banking solution. SMS One-Time-Password (OTP) is a ubiquitous and reliable technology. In today’s lending business climate, you must, as a lender, consider mobile banking solutions with 2FA (Two Factor Authentication) for enhanced security.
(2FA), also known as dual-factor authentication, is a security system through which a user trying to access a system or application is verified in two distinct ways instead of just a password.
Therefore, the solution you’re seeking should have an adaptive authentication that allows the configuration of adaptive policies for suspicious access requests. It is, therefore, worth noting that such a solution is not susceptible to man-in-the-middle attacks. The system’s authenticators use encrypted Class 2 SMS.
Consequently, this makes it a dual-encrypted system. No PIN, code or OTP is exchanged over the air. Only a strongly encrypted signature is exchanged to communicate the strong authentication.
- Lost Phone Blacklisting
Your customers can lose their mobile phones, making the devices susceptible to compromise. As a result, you should ensure the system is locked to avoid unauthorized access. This is especially true given that your mobile banking solution obliges the service provider to secure, deactivate and revoke personalized security credentials (PSCs) in the lost phone.
In the case of a lost or stolen phone, the options for two-way communication are as follows:
- The solution should not allow for a way to disable the phone remotely, as there is no two-way communication channel. However, associated software apps may gain access through alternative channels such as WiFi to enable remote connection.
- The mobile operator can remotely disable the SIM and the device if the phone is switched on and connected to a mobile network.
The association of mobile phone, SIM and the phone number is stored very securely in the mobile network. And this information is unavailable to other agents in the ecosystem.
Whenever a mobile device connects to a network, the network is aware of the interlinking of the phone, SIM and mobile number. If the device is used with a different SIM, the network knows immediately that this is a new association. This necessitates appropriate action if interpreted as fraud. That is, you can easily mark the phone as stolen and block any associated authentication services.
It’s Time for a Real Transformation
NLS Tech Solutions knows that SIM SWAP can be a real concern, and very difficult to detect. That’s why we have designed a flexible, secure mobile banking solution (Tera Mobile). The solution is based on a scalable system and accessible via USSD or Mobile Apps like Android.
It is fully integrated with SIM SWAP API from the Telcos and is able to detect and prevent related fraud. Its customer centric design also ensures it has all the features needed to fulfill all your technical business requirements.