If banks rely too much on using phone numbers to confirm the identity of people making large withdrawals, which business is to blame? When the question is posed like that, the answer becomes obvious. No telco tells banks that the person who answers a phone call or receives an SMS must be the same person as the legitimate owner of that phone account. That simple fact did not discourage the BBC from going overboard in their recent criticism of the way some UK telcos issue replacement SIMs. There are telcos that should do more to lower the risk of account takeover fraud, but that does not make them responsible for everything that happens afterwards. The BBC’s hyperbole suggested telcos are at fault for bank transactions made following a SIM swap, even though banks should use multiple methods to verify the identity of anyone making a withdrawal, and should not depend on the association between a customer and their phone number. Now the same BBC consumer protection show has decided a bank is to blame for a similar crime where somebody fraudulently gained control of a phone service so they could use it to steal money from the victim’s account. This is how the phone hijacking aspect of the fraud was described in an article for BBC News:
After reporting the call to the police, Charlotte discovered her phone line was diverted on the day of the call, explaining why the bank believed they were speaking to her at her home address
Bank records show the fraudster initially calls the bank, posing as Charlotte, and asks for her account to be reset for security reasons. Staff follow the bank’s usual security protocol and call Charlotte’s landline number, unaware the call has been diverted to a mobile phone
The bank maintained that because it had called Charlotte’s home phone number to verify her identity, it was clear she was aware of the transactions. Following an investigation by Devon and Cornwall Police, it was discovered that the fraudster had made a call to Charlotte’s landline provider to fraudulently divert the number to a mobile phone number in a different part of the UK
Though this is not a SIM swap, the fraud applies the same basic principles. A fraudster dupes the telco into believing they are a genuine customer, and so gains access to that customer’s phone service. The fraudster does not profit from this part of the crime; accessing the phone service is just a means to an end. The ultimate goal is to use the phone service in order to defeat the bank’s limited identity checks. The fraudster hence tricks the bank into transferring money from the victim’s account. That means the telco is also a victim of this kind of crime – if banks were more careful then fewer fraudsters would attempt to defraud telcos.
In this instance, the BBC chose to emphasize how the bank should do better, instead of criticizing the telco that was also conned. One reason for the BBC’s change of tone is that this particular fraudster gave the wrong answer to one of the bank’s security questions, but was still allowed to make a withdrawal of GBP4,318 (USD5,531). I take this as further evidence that the banks are passing the buck on fraud prevention. Why should telcos tighten security just to protect banks that do not even insist on obtaining the right response to their woefully inadequate identity checks?
In an era where passwords are widely sold on the dark net, and it is easy to use social media to collect personal information about strangers, our societies must push banks into adopting token-based authentication. The banks resist because token-based authentication will cost them more money, and may be unpopular with come customers. But those are not excuses, especially when banks are trying to foist the cost of securing bank transactions worth thousands upon other businesses whose services cost a lot less.
Banks do not need a subsidy from telcos. They already had big subsidies from taxpayers. Now they are back to making profits by simply pushing money around, without being too careful about where the money goes. Banks can afford to implement token-based authentication for every customer, instead of using much weaker methods like sending SMS messages and phoning people to ask security questions. Unfortunately the loudest voices in our societies, mainstream media organizations like the BBC, still behave like we are living in the 1990’s, and lack the imagination to insist that banks must change.