20.5k unique visitors in the last 3 days

Australia Considers New Rules to Prevent SIM Swaps

The Australian Communications and Media Authority (ACMA) wants telcos to use multi-factor authentication for all 'high risk' customer interactions.

The Australian Communications and Media Authority (ACMA) has proposed new rules that would force telcos to implement tougher checks of a customer’s identity before completing ‘high risk’ interactions such as issuing replacement SIM cards.

Unfortunately, there is clear evidence that scammers continue to target SIM swap processes, with some data sources indicating ongoing harms have increased. ACMA analysis shows that between January and May this year, more than 80% of mobile number fraud resulted from unauthorised SIM swaps.

We have data from government agencies, telecommunications providers and other bodies that provide a strong indication of about (sic) ongoing realised harm. We estimate the average loss per mobile number fraud to be $28,715 [USD20,870] and we are aware consumers are likely to under-report fraud to authorities due to embarrassment and reputational issues.

SIM swaps are the main current motivation for increased controls but the ACMA wants rules that anticipate the way fraudsters adapt their methods.

There is also emerging evidence that scammers are targeting other telecommunications customer interactions. For example, scammers have used personal information to facilitate other types of fraud, such as ‘purchasing’ expensive handsets on a customer’s account or gaining full access to customer accounts and payment details. This suggests that if fraud from unauthorised SIM swap is prevented via new obligations, scammers will quickly pivot to target other points of weaknesses.

The ACMA wants multi-factor authentication (MFA) of “all customer interactions at high risk of fraud”. Their proposals outline three examples of MFA.

  • Manual/visual comparison of a person’s face against a photograph on a primary piece of evidence
  • Verification of a biometric template collected at registration against a biometric template held by an authoritative source
  • Knowledge-based authentication

Some Australian telcos are already using MFA to reduce fraud.

In taking this step, we note that some providers have already introduced multi-factor identity verification arrangements, or are in the process of doing so, under guidance material developed by Comms Alliance. It is demonstrable that providers that have already implemented these processes are experiencing significantly less fraud involving their customers.

The ACMA would normally allow telcos to succeed with their voluntary efforts before imposing new obligations, but this time they want regulations to be in place so they can take enforcement action against any laggards. They also want the freedom to quickly extend these rules whenever new fraud risks become apparent.

It seems unlikely that Australian telcos will raise objections, though some may want more detailed rules from the ACMA. The current proposal is vague in several areas. For example, there is no exhaustive list of situations that require MFA. It is clear what is required when asking a member of staff to compare photo ID to somebody’s actual face, but the standard for knowledge-based authentication could vary greatly. Questions might be as tough as reading out a code from an authenticator app or as trivial as asking the maiden name of the customer’s mother.

The deadline for responses to the ACMA consultation is December 15. You can read the ACMA’s proposal here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email