SIM-swop fraud has continued to grow with some international reports showing close to 100 percent year-on-year growth, and South Africa is seeing the same trend, according to device identity and customer authentication software provider Entersekt.
According to the latest South African Banking Risk Information Centre figures, SIM-swop fraud incidents increased by 91 percent year-on-year when considering digital banking fraud across all platforms.
Lincoln Naicker, the owner and product manager at Entersekt, said this week that the most important thing to recognise was that SIM swops had an important part to play in the mobile network industry.
“Mobile Network Operators (MNOs) sit at the centre of an extended ecosystem and impact many other sectors, not least the financial one. And although there has been a seismic shift in the technology in mobile apps and other digital channels, the SIM has remained fairly unchanged,” Naicker said.
Naicker said SIM-swop fraud remained a largely manual process with social engineering at the heart of most of the criminal efforts.
Naicker said there was a need for better local regulation to effect change. He was, however, quick to point out that the current method was low-friction and offered MNOs a better customer experience.
“MNOs want to keep the customer experience as smooth as possible. If you put too many roadblocks in the path of the cellphone owner, they may simply migrate to another provider, and so the incentive to add additional security layers is not immediately obvious. However, when it comes to reputation, SIM-swop fraud will eventually impact your bottom line,” he said.
Naicker said the first issue that needed addressing was how MNOs “onboarded” customers.
“We need greater co-operation between the MNOs when it comes to onboarding. The verification process should be augmented using other technologies, such as voice biometrics. If all players could agree on better security at this early stage, we would already have made progress,” he said.
The second piece to the puzzle lies with organisations’ ongoing reliance on SMS one-time passwords (OTPs). Naicker said SMS OTPs were not secure and fraudsters knew this.
“We have seen dramatic results at companies where we have helped them remove SMS OTPs as part of their authentication offering. We should remember that the industry rolled out SMS OTPs when we realised that username and passwords were not sufficient. But now we know that SMS OTP should not be used for anything tied to personal or financial information. It’s simply not strong enough,” Naicker said.
Naicker acknowledged that this could not happen overnight and suggested that in the shorter term companies could augment the authentication process with SIM-swop detection technologies or use mobile apps that relied on device integrity.
Finally, Naicker suggested that beyond industry co-operation, the regulators needed to look at introducing guidelines and standards that would address SIM-swop fraud at the entry point.
“At the end of the day SIM-swop fraud remains a huge part of digital crime committed, because there has not been much focus on improving an archaic process that relies on old technologies. There are better ways of doing things, but it requires a co-ordinated effort to make the necessary changes. Most of all, we will need to move past the current industry inertia.”
BUSINESS REPORT ONLINE