Two birds - one stone: Tackling sim swap fraud whilst improving customer trust

Ryan Gosling

Tags:

Banking & Finance | Strong Customer Authentication (SCA) | Telephony | Telecoms

CS_17_112 - 600x412Mobile banking adoption has rocketed in the last few years. Being able to bank on the go has enabled us to reach new levels of convenience, but it’s also enabled the fraudsters who are evolving their tactics in-line with technology.

With statistics showing that fraud and scams are on the increase, banks and ecommerce organizations have a growing challenge on their hands. On the one hand their users need to be able to trust them to be able to detect any potential fraudulent behavior on their accounts. Whilst on the other, they need to trust that every one of their users is who they say they are.

Take, sim swap and call divert – two growing tactics fraudsters are utilizing mobile technology to access consumer accounts, posing a real threat to customers, mobile network operators and bank / ecommerce security. In order to understand how to tackle these, first we need to understand what they are.

What is SIM Swap?

SIM swap is a type of phishing fraud where a fraudster sources a customer’s personal information through various means such as looking through their post, hacking emails, stalking them on social media, or even buying the data from areas such as the dark web.

Once they have enough information on an individual, they contact the mobile network operator, posing as the victim. The fraudster tricks the mobile network operator into initiating a sim swap by cancelling the victim’s sim card and reactivating the victims telephone number to a new sim card that is in the fraudster’s possession. As a result, all calls and SMS to the victim’s telephone number are routed to the fraudster’s phone.  

What is Call Divert?

Call divert is sim swaps twin sibling. Here the fraudster mines information about their victims and uses it to trick the mobile network operator into setting up a call divert - a phone feature that can forward or redirect incoming calls to an alternate number (which can be a landline or mobile number). As a result, all calls to the victim’s telephone number are routed to the fraudsters phone, creating the same issues as a sim swap.

Banks often use a customer’s telephone to send one-time passwords via a phone call and/or SMS. By setting up either a sim swap or call divert, the fraudster can potentially gain access to one-time passwords and is able to make transfers from the customers bank account. The problem is, that it isn’t just banks at risk. Any company using a phone-based authentication can be at risk.

shutterstock_674063851 600x522

How can we tackle SIM Swap and Call Divert fraud?

Over the last few years, network operators have worked to implement more stringent security controls around sim swap and call divert. So far so good, or so it would seem… The problem is that it isn’t necessarily the process or customer service agents that are at fault, it’s the information available to the fraudster – both quality and quantity are winners here.

Fraudsters have numerous ways of obtaining the information needed to bypass the security process to set up a sim swap or call divert. Whether it’s purchasing directly from the dark web, using email phishing methods or stalking users on social media to find hints from their personal life. The more info they can get, the better, and for those customers who are more prevalent social sharers, the easier they make it.

To tackle this, mobile network operators have been working closely with fraud prevention companies to develop sim swap and call divert detection capabilities, with an aim to identify if there has been a change to a sim card or whether a redirected number has been put in place. However, this is difficult to monitor, as data is often shared globally between mobile network operators and not all call diverts, and sim swaps are fraudulent. Getting greater insight into tacking this is vital if companies are to build customer trust.

One such example is the banking sector, where telephony plays a key role for PSD2 and Strong Customer Authentication (SCA) as one-time passwords are a valid authentication method. When implementing SCA, organizations need to consider their customer demographic. With 50% of people over 55 in the UK not having access to a smart phone (Statista), telephony can play an important role in the customer experience. But it needs to be managed accordingly as this demographic is also more susceptible to fraud. Using mobile network operator data in the right way can ensure that telephony plays a role in a banks SCA strategy without increasing the risk of fraud or impacting customers.

The common approach to combating this is with two-factor authentication (2FA) methods, however this isn’t the most secure. Working closely with mobile network operators to share intelligent insights and enhance current fraud prevention methods, we are combing their data, with our location, behavioral and device data to deliver greater confidence that the user is who they say they are. This allows banks and the operators to move beyond the current Account Takeover Protection (ATP) services, to provide customers with diverse, customized authentication journeys that utilize more accurate fraud detection capabilities.

Here’s how it works in action: If Callsign detects a SIM-swap or call divert has taken place, the bank or ecommerce organization can decide to add additional authentication requests such as a swipe of their phone screen, biometric or knowledge-based factors to prove they are who they say they are. The real clever piece is that if malicious activity is already detected such as a bot or malware, API calls like this aren’t needed, and the request can be blocked.

Utilizing this, banks not only have increased capabilities for detecting SIM-swap fraud, but more options for defining authentication journeys. This means they can avoid dealing with the costly, inconvenient process of managing fraud after the fact, and their customers can prove their digital identity more seamlessly.

What to do if you notice unusual phone behavior?

Banks are required to have several layers of security controls in place during a payment transaction. If a sim swap or call divert is detected, the bank will make a risk-based decision on whether to decline the payment as a security precaution and discuss with the customer.

Customers may also directly identify unusual behavior on their mobile phone. No phone signal for a long period of time or not receiving any phone calls, could be due to a fraudulent sim swap or call divert, and in this case, it is recommended to contact your mobile network operator and bank.


Tell a friend or colleague: