The Australian Communications and Media Authority (ACMA) has proposed new rules that would force telcos to implement tougher checks of a customer’s identity before completing ‘high risk’ interactions such as issuing replacement SIM cards.
Unfortunately, there is clear evidence that scammers continue to target SIM swap processes, with some data sources indicating ongoing harms have increased. ACMA analysis shows that between January and May this year, more than 80% of mobile number fraud resulted from unauthorised SIM swaps.
We have data from government agencies, telecommunications providers and other bodies that provide a strong indication of about (sic) ongoing realised harm. We estimate the average loss per mobile number fraud to be $28,715 [USD20,870] and we are aware consumers are likely to under-report fraud to authorities due to embarrassment and reputational issues.
SIM swaps are the main current motivation for increased controls but the ACMA wants rules that anticipate the way fraudsters adapt their methods.
There is also emerging evidence that scammers are targeting other telecommunications customer interactions. For example, scammers have used personal information to facilitate other types of fraud, such as ‘purchasing’ expensive handsets on a customer’s account or gaining full access to customer accounts and payment details. This suggests that if fraud from unauthorised SIM swap is prevented via new obligations, scammers will quickly pivot to target other points of weaknesses.
The ACMA wants multi-factor authentication (MFA) of “all customer interactions at high risk of fraud”. Their proposals outline three examples of MFA.
- Manual/visual comparison of a person’s face against a photograph on a primary piece of evidence
- Verification of a biometric template collected at registration against a biometric template held by an authoritative source
- Knowledge-based authentication
Some Australian telcos are already using MFA to reduce fraud.
In taking this step, we note that some providers have already introduced multi-factor identity verification arrangements, or are in the process of doing so, under guidance material developed by Comms Alliance. It is demonstrable that providers that have already implemented these processes are experiencing significantly less fraud involving their customers.
The ACMA would normally allow telcos to succeed with their voluntary efforts before imposing new obligations, but this time they want regulations to be in place so they can take enforcement action against any laggards. They also want the freedom to quickly extend these rules whenever new fraud risks become apparent.
It seems unlikely that Australian telcos will raise objections, though some may want more detailed rules from the ACMA. The current proposal is vague in several areas. For example, there is no exhaustive list of situations that require MFA. It is clear what is required when asking a member of staff to compare photo ID to somebody’s actual face, but the standard for knowledge-based authentication could vary greatly. Questions might be as tough as reading out a code from an authenticator app or as trivial as asking the maiden name of the customer’s mother.
The deadline for responses to the ACMA consultation is December 15. You can read the ACMA’s proposal here.