Guest Post: How to protect your customers from ‘SIM Swapping’ using biometrics

Guest Post: How to protect your customers from ‘SIM Swapping’ using biometrics

By Veridas 

SIM Swapping is a type of fraud in which a duplicate SIM card associated with a phone line is obtained without the consent of its holder and with the purpose of impersonating the holder’s identity and accessing confidential information (banking applications, emails, social networks…).

Some 5.82 million euros have been recently imposed in fines on several telecommunications operators for fraudulent duplication of SIM cards as the Spanish Data Protection Agency (AEPD) considers that their security policies are insufficient to prevent fraudulent duplication, which is preventing them from adequately protecting the security of their customers.

These sanctions result from a procedure opened in 2019 at the request of individuals who filed their complaints with the Data Protection Agency. The infringements reported include a €17,265 theft from a current account due to a duplicate of a personal card.

The operation of fraudulent SIM card duplication

The most common practice of this method consists of the criminals visiting the operators’ physical stores in person. They present a police report stating that they have been victims of theft, together with a photocopy of the ID card with a forged image. They manage to trick the workers and obtain a duplicate SIM card on many occasions.

Another method used is the telephone call in which they pretend to be the owner of the line. The criminals trick the telecommunications operators by informing the customer service department that their cell phone has been stolen and they need a duplicate card. After a verification method based on questions about personal data, they obtain the duplicate card, which is sent to the requested address.

By getting a duplicate of our SIM, fraudsters automatically have access, in addition to contacts and information stored in the SIM, to all applications and services that use an SMS as a recovery procedure; that is, they would have access and control of bank accounts, social networks and email accounts among others. And, in the same way, to all operations that have as a confirmation method sending an SMS; such as online purchases, transfers or loan applications.
What is the source of the problem? Telecom operators may be using insufficiently robust methods to verify users’ identity to allow a duplicate SIM. In addition, the tendency of banks to use an SMS as a second factor is a problem in itself; simply by stealing the handset, criminals would have access to SMS and, consequently, users’ bank accounts.

Strong authentication is an authentication where it is required to use at least two authentication factors (2FA) chosen from these three groups:
Possession (something you have): this is the most traditional way of accessing a service that belongs to us and is through a physical key or accreditation that we possess, such as a debit card or a message to a cell phone. The significant risk of this authentication method is the possibility of losing this credential or of someone impersonating us simply because we have it. As observed in SIM Swapping cases, “what we have” is not a sufficient authentication factor to avoid identity theft issues.

Knowledge (something you know): something the user knows, such as a password or access code. In this case, it is not something physical that we can lose, but it is a very fragile authentication factor given the risk of forgetting it or even of someone else finding out that information by different methods, becoming then able to impersonate us.
Inheritance (something you are): something inherent to the person, such as your face, voice or fingerprint; that is, ourselves and everything that makes us unique.

The solution to SIM Swapping: verify the real identity of customers

The operators affected by the fine imposed by the AEP remarked that, although part of the responsibility for security lies with banks and credit institutions, they need to continuously update and reinforce their protocols in order to improve and optimize them.

Biometric factors (voice or face) are the solution. These factors are inherent and incapable of being supplanted, making them highly secure. Biometrics are:
Private: biometrics belong to an individual and no one else. It cannot be supplanted, cloned or intercepted.
Secure: it allows us to move from presumption to certainty. We are sure that the users are who they say they are.
Voluntary: it is the user who has the decision to use it.

For this reason, many telecommunications companies have already incorporated biometrics in their customer registration and authentication processes to increase security and customer experience.

Ventocom: Online customer onboarding through SIM card activation using face biometrics.
Deutsche Telekom: customer authentication in 3 seconds, in any language, with 99% accuracy and anti-fraud technology.
Euskaltel: 100% online account opening and cancellation with document verification technology and anti-spoofing technology to avoid fraud cases.



Alfa-Bank adds app update feature

Alfa-Bank adds app update feature

Alfa-Bank offered its customers the opportunity to renew their IDs data directly in the mobile application. The new service allows you to update data if the ID document is replaced, lost, or for other reasons – you do not have to visit the office for this purpose. The solution was implemented in partnership with Smart Engines thanks to their high-precision ID scanner technology based on energy-efficient AI algorithms.

To update the data, you need to open the bank’s mobile app, select the menu item “My Data” and place the new ID in front of the smartphone. The OCR is performed in real time using the video stream of the smartphone’s camera. After ID scanning, the client confirms the data before transferring it into the bank’s system. Personal data images are not transferred to any third-party services for processing and instead are communicated directly to the bank, to ensure maximum security.

“Previously, the customer had to visit the bank’s office for any banking service. Now almost any service is remotely available, and even, for example, the ID data can be updated in the bank’s mobile application on the same day as your new document was issued,” said Damir Battulin, Senior Vice President, Head, Online Development Department, Alfa-Bank.

“The technologies we offer are secure because no external services come between the client and the bank. They do not require high-performance computing power and work even on low-end mobile devices. We are members of the UN Global Compact, and our products follow the principles of the global ESG strategy,” said Vladimir Arlazarov, CEO of Smart Engines, Ph.D

Greece to launch mobile ID, mDL

Greece to launch mobile ID, mDL

Greek citizens will be able to download a digital version of the full identity card and their driving license to their mobile phones by next Easter, Digital Governance Minister Kyriakos Pierrakakis revealed on January 6.

Pierrakakis told SKAI TV that, “We aim to have the biggest part of this work at the end of the first quarter of 2022, surely before Easter we will have these changes in terms of the new identity card … and in terms of the driving license.”

Currently, only part of the ID can be put on cell phones now to help people get into stores easier where showing a vaccination certificate or proof of recovery from the Coronavirus is required.

The new service will allow citizens to use their digital ID in any transaction with the state or institution requiring identification.

The launch follows the success of a COVID-19 free GR Wallet App which lets people put certificates of vaccination and other identification on their cell phones, which saw more than one million responses shortly after it was launched.

UL Launches certification scheme to advance MDL adoption at Identity Week 2021

UL Launches certification scheme to advance MDL adoption at Identity Week 2021


 UL, the global safety science leader, announced today that it launched an electronic identification (eID) certification scheme to evaluate products for compliance with ISO/IEC 18013-5:2021, the new international standard for personal identification – mobile driving license (mDL). This global standard specifies interoperable protocols for digital credentials and a data model for an mDL. It can also be leveraged for other digital credentials far beyond driving licenses.

The announcement was made in conjunction with a speech by Arjan Geluk, lead principal advisor in UL’s Cybersecurity and Identity Management and Security group, at Identity Week, which is being held today through and Thurs., Sep. 23 in London. Geluk said, “I am proud to announce that UL now provides interoperability certification services for mobile driving license implementations. It expresses a continuation of our commitment to the deployment of secure, privacy-preserving and globally interoperable digital credentials.”

The launch of UL’s ISO/IEC 18013-5 interoperability certification services coincides with the approval of this new international standard and promotes the seamless rollout of globally interoperable mDL implementations around the world.

Ian Grossman, vice president of Member Services and Public Affairs at the American Association of Motor Vehicle Administrators (AAMVA), said, “The AAMVA is appreciative of all the hard work that has been done to provide an interoperability standard. Continued collaboration between the public and private sectors is imperative for providing a robust and trusted mDL ecosystem.”

“I am pleased that ISO finalized the ISO/IEC 18013-5 standard, a widely supported international standard which provides a reliable, secure and privacy-friendly way to share and verify mobile credentials,” added Bas van den Berg, secretary of Topic Group XIX on Virtual Driving License at the Association of European Vehicle and Driver Registration Authorities and head of driving licenses at The Netherlands Vehicle Authority. “I am happy that there is a possibility for issuers and verifiers to obtain evidence that their solution meets this new standard, so that they can be sure about the international interoperability of their solutions.”

UL’s testing and certification services check for conformity against the standard for mDL and mDL reader applications. Once a product has been certified, the UL Mark can be associated with the application and leveraged to market a solution by showing the UL Promotional Badge in marketing materials, indicating the product interoperable with any other ISO/IEC 18013-5 compliant implementation.

UL’s eID Certification services are the latest in a series of solutions that support empowering trust in digital credentials. UL offers independent training, strategic advisory, test suites, certification testing and cybersecurity evaluation services for mDL and mDL reader implementations and other forms of eID.  Learn more about UL’s eID solutions.