SIM Swapping is a type of fraud in which a duplicate SIM card associated with a phone line is obtained without the consent of its holder and with the purpose of impersonating the holder’s identity and accessing confidential information (banking applications, emails, social networks…).
Some 5.82 million euros have been recently imposed in fines on several telecommunications operators for fraudulent duplication of SIM cards as the Spanish Data Protection Agency (AEPD) considers that their security policies are insufficient to prevent fraudulent duplication, which is preventing them from adequately protecting the security of their customers.
These sanctions result from a procedure opened in 2019 at the request of individuals who filed their complaints with the Data Protection Agency. The infringements reported include a €17,265 theft from a current account due to a duplicate of a personal card.
The operation of fraudulent SIM card duplication
The most common practice of this method consists of the criminals visiting the operators’ physical stores in person. They present a police report stating that they have been victims of theft, together with a photocopy of the ID card with a forged image. They manage to trick the workers and obtain a duplicate SIM card on many occasions.
Another method used is the telephone call in which they pretend to be the owner of the line. The criminals trick the telecommunications operators by informing the customer service department that their cell phone has been stolen and they need a duplicate card. After a verification method based on questions about personal data, they obtain the duplicate card, which is sent to the requested address.
By getting a duplicate of our SIM, fraudsters automatically have access, in addition to contacts and information stored in the SIM, to all applications and services that use an SMS as a recovery procedure; that is, they would have access and control of bank accounts, social networks and email accounts among others. And, in the same way, to all operations that have as a confirmation method sending an SMS; such as online purchases, transfers or loan applications.
What is the source of the problem? Telecom operators may be using insufficiently robust methods to verify users’ identity to allow a duplicate SIM. In addition, the tendency of banks to use an SMS as a second factor is a problem in itself; simply by stealing the handset, criminals would have access to SMS and, consequently, users’ bank accounts.
Strong authentication is an authentication where it is required to use at least two authentication factors (2FA) chosen from these three groups:
Possession (something you have): this is the most traditional way of accessing a service that belongs to us and is through a physical key or accreditation that we possess, such as a debit card or a message to a cell phone. The significant risk of this authentication method is the possibility of losing this credential or of someone impersonating us simply because we have it. As observed in SIM Swapping cases, “what we have” is not a sufficient authentication factor to avoid identity theft issues.
Knowledge (something you know): something the user knows, such as a password or access code. In this case, it is not something physical that we can lose, but it is a very fragile authentication factor given the risk of forgetting it or even of someone else finding out that information by different methods, becoming then able to impersonate us.
Inheritance (something you are): something inherent to the person, such as your face, voice or fingerprint; that is, ourselves and everything that makes us unique.
The solution to SIM Swapping: verify the real identity of customers
The operators affected by the fine imposed by the AEP remarked that, although part of the responsibility for security lies with banks and credit institutions, they need to continuously update and reinforce their protocols in order to improve and optimize them.
Biometric factors (voice or face) are the solution. These factors are inherent and incapable of being supplanted, making them highly secure. Biometrics are:
Private: biometrics belong to an individual and no one else. It cannot be supplanted, cloned or intercepted.
Secure: it allows us to move from presumption to certainty. We are sure that the users are who they say they are.
Voluntary: it is the user who has the decision to use it.
For this reason, many telecommunications companies have already incorporated biometrics in their customer registration and authentication processes to increase security and customer experience.
Ventocom: Online customer onboarding through SIM card activation using face biometrics.
Deutsche Telekom: customer authentication in 3 seconds, in any language, with 99% accuracy and anti-fraud technology.
Euskaltel: 100% online account opening and cancellation with document verification technology and anti-spoofing technology to avoid fraud cases.