SIM swap fraud has plagued mobile users across Africa for years, with Myriad Connect recent survey in Kenya revealing that over 90 per cent of Kenyan banking leaders sees it as an issue for their organisations.
The survey also shows that over 25 per cent of respondents had been victims of SIM swap fraud. While in South Africa, the South African Banking Risk Information Centre (SABRIC) reported recently that the incidence of SIM swap fraud has more than doubled in the past year.
Myriad Connect offers banks and financial service institutions out of band authentication and SIM swap detection services to empower them to protect each of their customers’ financial services transactions.
“But SIM swap fraud is not limited to Africa,” says Willie, Myriad Connect Director Business Development – Africa. “It is a growing global issue affecting even some of the most sophisticated technologies in the world.”
Willie cites recent examples such as the case in which US entrepreneur Michael Terpin is suing AT&T over an alleged SIM swap that resulted in millions of dollars’ worth of cryptocurrency tokens being stolen from his account; and another incident in which esports star Yiliang ‘Doublelift’ Peng said he lost $200,000 in cryptocurrency in a SIM swap attack.
“A SIM swap, in which criminals manage to get a replacement SIM for a mobile number that does not belong to them, allows the new SIM to supersede the existing one, and gives criminals access to the legitimate user’s information and accounts,” says Willie. “This compromises the victim’s online banking, cryptocurrency or digital financial service accounts and gives SIM swap fraudsters access to all the victim’s online accounts, including email and all social media accounts. In addition to financial losses, this presents the risk of reputational damage and the exposure of sensitive data, and once fraudsters control a user’s accounts, regaining control of them can be complex.”
In the past, the market’s response to the threat of digital transaction fraud has been to introduce authentication measures to protect transactions – often in the form of a one-time-password (OTP) over SMS.
“However, OTP via SMS has long been considered a vulnerable channel for authenticating financial services transactions, as it does not meet strict security standards,” says Willie. “In 2016 the National Institute of Standards and Technology in the US identified that SMS is a risk and that OTP via SMS is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks such as SIM swap. It poses a challenge to providers using the service, as there is no audit trail, opening a door to large-scale fraud through a single point of failure.”
Organisations and consumers have a false sense of security when it comes to using OTP over SMS in addition to a username and password, he notes. “This mode of authentication is vulnerable to SIM swap fraud and many other forms of attack. It can also be vulnerable to man-in-the-middle attacks, SMS can be intercepted, mobile networks can be hacked to receive the OTP SMSes, and call forwarding can be used to divert the OTP SMSes to a fraudster’s phone. Clearly, OTP via SMS is simply not secure enough to protect financial service transactions.”