The evolution of fraud nowadays means that any user can be the target of them. If it is also, fraud linked to mobile devices, it is even more likely to happen to any of us.
The penetration of mobile technology in Spain is a reality in 2022. This is demonstrated by the fact that more than 99% of Spanish households have a mobile phone and 57.5% have a tablet, according to data from a survey published by the National Institute of Statistics in 2021.
In addition, it must be considered that, with the entry into force in 2019 of the PSD2 (Revised Payment Service Directive) and becoming mandatory the use of at least 2 different authentication factors (Knowledge factor, factor you possess, and inherence factor), most financial institutions have opted for the second of them as an additional verification method. In this case, they usually use an SMS message with a unique and temporary code called One Time Password (OTP).
It is in this SMS and in the OTP code, where the security breach lies and where a type of fraud called SIM Swapping is gaining more and more prominence in today’s cybercrime landscape.
But what is it all about and how is it affecting banking customers?
<<< Discover how to avoid SIM Swapping with Voice Biometric Identification >>>
What is SIM Swapping?
SIM Swapping is a type of fraud in which attackers falsify the documentation of the holder of a mobile line, with the aim of obtaining a duplicate or clone of their SIM (Subscriber Identity Module) card associated with a telephone line. By duplicating the SIM card, they seek to impersonate the identity of the owner of the line and thus gain access to their bank accounts by sending SMS messages, which include the dynamic passwords that the bank provides to its customers as a second authentication factor.
This represents a major security breach in terms of SMS two-factor authentication.
How do they do it?
Criminals use malware or social engineering techniques and impersonate official websites and applications that request the user’s credentials.
Once the victim enters his or her data, the attacker shows up at one of the operator’s stores or calls by phone, providing false documentation based on the customer’s personal data. It is very common for them, in turn, to file a false police report alleging that they have been victims of theft and attaching a photocopy of a modified ID card. In many cases, this is a very easy process as many operators do not apply enough rigorous security measures.
This is not a security failure of a device, but the lack of security mechanisms of the operators when making a duplicate SIM card.
As a last step, cybercriminals now have free access to your online banking account, so they can apply for credit, make online purchases, transfers, and, in many cases, acquire private information and sensitive content. All this is because they can now have the OTP (One Time Password) code at their disposal and thus successfully perform two-factor authentication by SMS thanks to the new SIM card.
What are the consequences of SIM Swapping for customers?
SIM Swapping has serious consequences for customers, including:
- Bank fraud or money theft. This is the main and most serious consequence for operator customers. By cloning their SIM and being able to access the OTP keys sent by their bank for verification, cybercriminals can access their bank accounts, stealing large amounts of money. In addition, unfortunately, many banks do not return the full amount of the swindled money to the victim but only a percentage, which may be very reduced.
- Impersonation for fraudulent practices. Due to all the information collected by the fraudster, they will be able to carry out different frauds in their own name.
- Consequences for the user’s privacy. For instance, threats and bribes to the victim by compromising information and photos of the same in exchange for large amounts of money.
How can telecommunications companies avoid SIM Swapping?
Many large telecommunications operators have had to deal with costly fines due to the high number of complaints filed by customers who have suffered from this type of fraud.
The Spanish Data Protection Agency, in fact, has publicly concluded that operators have not efficiently protected the personal data of their users when it comes to checking the identity of the holder when issuing a duplicate SIM card. The SIM card is associated with a unique number that identifies its holder, which means that it is personal data that can only be provided to its owner.
Biometrics, the solution to fight SIM Swapping
Biometrics is the third authentication factor that PSD2 talks about, the inherence factor, i.e., something you are. Biometrics solutions are perfect to fight against SIM swapping, or rather, against the lack of security in the identity verification of customers requesting a duplicate SIM.
Many transactions are still carried out over the phone, which is why identity verification through the biometric voiceprint as the inherence factor, is ideal for ensuring that the person on the phone is who they say they are.
Discover your potential savings by implementing Voice Biometrics in your Contact Center thanks to our ROI Calculator
The benefits for telecommunications companies, in addition to combating SIM Swapping, are:
- Avoiding bank fraud and money theft, the main reason why cybercriminals perform SIM Swapping.
- Reduce other types of fraud or identity theft.
- Improve the company’s reputation, by guaranteeing data privacy and reducing the risk of these frauds.
- Improve the customer experience of telecommunications companies.
Learn more about the benefits of voice biometrics solutions, such as Recordia, for telecommunications companies by clicking here.