Identity fraud has increased significantly in recent years, with scammers taking advantage of the growing amount of personal information available on digital platforms to obtain goods or services in the victim’s name.
According to Evina, a French cybersecurity firm with a presence in more than 70 countries worldwide – including 15 in Africa – a recent report titled State of Mobile Fraud in Africa, shows that professional cybercriminals targeting Africa’s one billion mobile phone users continue to be a significant problem.
The necessary data can be obtained in a variety of ways, ranging from breaches of customer databases to simply analyzing social media profiles. SIM swapping is a particularly sophisticated method that has emerged, in which criminals trick their way into gaining access to the victim’s SIM card, allowing them to receive calls and SMS messages, leading to disastrous consequences such as account takeovers. According to the District of Jersey United states Attorney’s office, Eight Nigerians were indicted in October 2021 on several charges related to conspiring to engage in Internet Scams, the most common of which was aggravated identity theft.
To find out more about how this scam works, and what more telco providers, PSB’s, Banks and individuals can do to combat it, IT Pulse Nigeria spoke to Martin Effiong, Operator Partnership Manager for Infobip in Anglophone West Africa
Tell us a little bit about what you do for Infobip?
Thank you for the opportunity to interact with you about such a crucial subject. I’m Martin Effiong, Senior Operator Partnership Manager in Anglophone West Africa for Infobip. I manage robust engagements with the region’s mobile telecom operators in pursuit of collaborations that allow both of our entities to grow. In simple terms, we rely on operators for connectivity when they are suppliers to us, and we cater to their business communication needs when they are our customers
What is SIM swapping? Why does it pose such a security risk to consumers?
There are plenty of reasons why you would swap your SIM. Say you’ve lost your phone or bought a new one – but your old SIM card doesn’t fit. Or maybe your SIM card was damaged, or you found a better deal with a new operator. It’s a perfectly legitimate process, but one which sadly many fraudsters are looking to exploit.
So, the abuse of a SIM replacement process for the benefit of individuals or perpetrators who are not the rightful SIM owners, and which usually happens without the knowing or participation of the rightful SIM owner is actually the SIM swap fraud.
On why this is a serious security risk, to acquire access to a brand-new SIM card belonging to a legitimate owner, a SIM swap fraudster uses confidence techniques and internet stalking to mimic someone like me or you to an operator. They can intercept phone calls, SMS messages, social media accounts, and banking credentials using this method, giving them all the information, they need to develop a victim profile. Fraudsters can then use this profile to take over accounts, transfer money to themselves, and steal not only your life savings, but also your identity, in less than 20 minutes.
To what extent has this threat grown and evolved over the recent years?
According to data from the South African Banking Risk and Information Center (SABRIC), SIM swap-related fraud increased by 100 percent in South Africa between 2018 and 2019. In Nigeria, we have some equally frightening statistics, with mobile channel fraud increasing by 330 percent between 2019 and 2020. This report, published by the Nigeria Inter-Bank Settlement Scheme (NIBSS), demonstrates that it is a global phenomenon, but it is also very damaging to developing world economies due to their heavy reliance on the internet and mobile GSM generated or GSM enabled Internet services. So, yes, it has grown exponentially as internet and smartphone usage in the region has increased.
In most instances, the first lines of defense are a username and password, but they should not be the only ones. Layering your security will help you protect your customers better and, if done correctly, will also improve their overall experience.
What steps should consumers be taking to protect themselves from SIM swapping?
The steps outlined here are the standard global best practices for using electronic devices that connect to the internet. Starting with the most general steps and progressing to those tailored to mobile device users. When using the internet, it is recommended that you be cautious and security aware of what can happen. When you are on your device, the privacy of your room does not translate to any form of privacy on the internet. As a result, you must exercise extreme caution in what you do, how you do it, and what information, particularly private information, you post on the internet, particularly on publicly accessible sites or social media applications.
It’s also a good idea to make sure the websites you’re visiting are secure. In terms of SIM swap fraud, make sure your SIM cards have a PIN lock. As a result, whenever your phone is turned off and turned back on, it will request a SIM PIN, or whenever your SIM is removed and re-inserted into your phone, or a new SIM is inserted, it will request a SIM PIN. In this manner, a stolen phone device whose SIM is being Swapped will request a SIM PIN.
Lastly, In the event of the receipt of unsolicited texts or emails about your SIM being ported or a PAC request, or if you unexpectedly lose phone service, contact your telco service support immediately. The same is true for contacting banks if a fraudster attempts to make an online or phone transfer.
However, much of the onus should be placed on the verification services that operators have in place to protect their customers.
Can establishing a global security standard for telco providers reduce this threat?
From my perspective, Telcos and enterprises are doing a lot but can still do more to sensitize their customers of the associated risk of mobile-enabled transactions from SIM swaps. They will also do well to implement technology to better protect their customers from these frauds.
Setting a global verification standard to confirm a person’s mobile identity is critical in preventing SIM swap scams, in my opinion. This standard must be set by telcos, which have all the information required to verify an identity securely and, more importantly, in real time. For example, if a customer called a company with a question, the company could silently authenticate the person in the background using telco information, eliminating the need for the customer to answer a series of onerous security questions. Simultaneously, if any irregularities are discovered during the frictionless check, the suspicious activity is flagged, and a SIM swapping attempt may be impeded.
This is how the Mobile Identity authentication solution from Infobip works. It can confirm the mobile account activation date by checking for changes to your IMSI (International Mobile Subscriber Identity) number – or, more simply, ‘telecom account data’. If there is no reason to be concerned, authentication will take place silently in the background, without interfering with the user’s experience. If the IMSI number has recently changed, this will be flagged as suspicious activity. The service provider will then contact the user and request additional verification.
What other measures should telcos providers be taking to help protect consumers from this tactic?
Due to the negative impact of SIM SWAP fraud on customer experience, it’s understandable that GSM service providers would have to strike a balance between offering very strict security measures on the SIM replacement process to protect their customers from SIM swap fraud and also improving their service’s customer experience.
It is about associating security with a positive customer experience and trust.
Many businesses are looking for ways to remove friction from customer interactions in order to provide the best possible experience.
However, some critics believe that removing friction will reduce security and make customers less confident in their interactions with businesses.
A smooth approach, however, should not jeopardize security.
At least three real-time identification and authorization services should be included in a strong authentication layer. At Infobip, this includes silent mobile verification (SMV), account takeover protection (ATP), and SIM Swap. Furthermore, as part of the customer journey, these checks should take place “behind the scenes.”
This is especially significant in light of the Central Bank of Nigeria’s (CBN) recent steps in granting licenses to two telecommunication companies to operate as Payment Service Banks (PSBs). This is after these businesses successfully completed a series of applications and requirements. This license allows these telcos to complement rather than compete with other banks.
One of the key provisions of the PSB license issued by the CBN is safety of funds to the consumers of the Payment Service Banks’ products. This is where leveraging technology for KYC checks through a strong customer authentication framework comes to play in reducing fraud while increasing authorization rates. PSBs and Fintechs must implement security measures – consisting of at least two real-time identification and authentication services – when customers make an online purchase to meet KYC requirements. This enables businesses to verify the customer’s identity as well as the validity of the credit card being used to complete the transaction.
Infobip is a global cloud communications platform that enables businesses to build connected customer experiences across all stages of the customer journey at scale, with easy and contextualized interactions over customers’ preferred channels. Accessed through a single platform, Infobip’s omnichannel engagement, identity, user authentication security and contact center solutions help clients and partners overcome the complexity of consumer communications, grow their business and increase loyalty–all in a fast, secure and reliable way. With over a decade of industry experience, Infobip has expanded to include 68+ offices on six continents offering natively built technology with the capacity to reach over seven billion mobile devices and ‘things’ in 190+ countries connected directly to over 600 telecom networks