SIM swap fraud has become headline news worldwide. This year Commsrisk has picked up stories about fraudsters swapping SIMs in order to con the parishioners of a South African Bishop, steal from the bank accounts of Indians, and tweet from the account of the CEO of Twitter. On the other hand, we have to be wary of exaggerating the problem, as it becomes necessary to counter fake news being spread about SIM swaps. So how severe is the problem of SIM swaps?
It is not hard to see why SIM swaps grab the attention of journalists, following a series of high-profile SIM swaps that targeted celebrities and cryptocurrency millionaires. Nevertheless, a Freedom of Information request by my colleague Rob Chapman showed that the UK police deal with considerably less than one SIM swap fraud per day. As a consequence, Rob and I decided not to keep asking for more data, or to spend time publicizing what we had learned. 252 SIM swaps during 2018 is a modest total in comparison to the 92.1mn mobile phone subscriptions held by British customers that year. Brits are significantly more likely to die in a car crash than suffer a SIM swap fraud; there were 1,770 reported deaths on UK roads during the year to June 2018.
I have asked telcos in other countries about the number of SIM swaps they face, and each one tells me the same story. They issue thousands of SIMs on a daily basis; almost all were requested by legitimate customers. Fraudsters are only responsible for a tiny minority of SIM activations. However, they are also sensitive to the extent to which SIM swap crime is reported. So anecdotal reports suggest the UK experience is consistent with SIM swap fraud in other countries. This is unsurprising; the use of SIMs is universal, and all telcos have adopted similar processes surrounding them. We should expect a similar level of SIM swap fraud in each country unless we can identify factors that would make the crime more attractive in specific domains. So why does SIM swap fraud gain so much attention relative to other frauds?
One reason why the scale of SIM swap fraud may be exaggerated is that the number of these crimes has increased rapidly in recent years, and the typical loss is worryingly high. For example, UK police reports showed that the number of SIM swap frauds almost doubled from 2016 to 2017. But a rapid rate of growth means relatively little if we begin from a very low base. It might also be argued that SIM swap frauds could be systematically under-reported. However, the criminal’s usual goal is to steal money, and because SIM swap fraud mostly comes to light after a bank account is raided, it would be odd if banks failed to notify the police of thefts that average around GBP4,000 (USD5,150).
What is obvious is that there has been a correlation between SIM swap frauds and our reliance on phones to verify our identities, especially when using SMS messages as a second authentication factor. Revenues from retail SMS are in general decline, but application-to-person (A2P) SMS revenues are growing, and SMS messages for two-factor authentication (2FA) have been a significant contributor to that growth. Mobilesquared estimated that global A2P revenues will rise from USD12bn in 2017 to USD26bn by 2022, with 2FA SMS representing almost 20 percent of those revenues.
Recently the US Federal Bureau of Investigation (FBI) warned that SMS messages are weaker than alternative forms of two factor authentication, even though the adoption of any second factor is much better than relying on a single factor. The FBI recommended that biometrics offers a superior way to authenticate users. The telecoms industry has certainly recognized the need to offer stronger alternatives to SMS 2FA. For example, Nok Nok’s biometrics-based authentication platform won the 2019 GSMA Glomo Award for Mobile Authentication and Security. One sign of changing priorities is that authentication has become the subject of an award; in 2017 the equivalent GSMA Glomo category was ‘Best Mobile Security or Anti-Fraud Solution’. Nok Nok’s platform complies with the GSMA’s Mobile Connect standard for sharing authentication data, and there is no shortage of suppliers offering solutions that enhance the authentication services used by other businesses, such as banks.
SIM manufacturers and security experts Gemalto are one of the big global businesses pushing banks to purchase more advanced technology to authenticate remote customers. Gemalto’s marketing team hit the nail on the head with this observation:
The mobile is shaking the entire financial ecosystem, requiring more convenience for consumers with new use cases and services including eBanking apps.
Financial institutions have yet to keep up with the necessary security scheme needed to protect these services.
Auditing the security policies of financial institutions goes well beyond my area of expertise, but a quick review of UK retail banks shows many now offer their customers the choice to download mobile phone apps that provide more robust authentication than sending codes by SMS. This is a sensible way forward; almost 80 percent of British adults use smartphones, so it makes sense to offer apps that can do a much more effective job of verifying the user’s identity. The need to improve has long been obvious; the UK consumer advocacy group Which surveyed the security of online banking at the beginning of 2019, and found only a minority of the banks had adopted any form of 2FA at that time. Many UK banks appear to have made rapid progress in the meantime, probably because of the need to comply with the European Union’s Strong Customer Authentication (SCA) rules, imposed by the January 2018 Payment Services Directive (PSD2). But it is disappointing that some UK banks are only now adopting SMS-based 2FA whilst the FBI is already encouraging US firms to do better.
Banks differ in the technologies they are adopting, and this does not help customers to understand the risks they are taking. For example, Which’s survey of internet banking security gave a relatively high score of 66 percent to the Co-operative Bank. However, the Co-op does not give their customers the option to use their fingerprint to gain access via their mobile phone. If you want to bank with the Co-op then the only alternative to SMS 2FA is to receive your second factor code by email – one of the few methods that is even less secure than receiving an SMS! Rather than praising such techniques as ‘strong’ authentication, it would be better if customers were educated about how weak they are, relative to other methods.
One concern that is sometimes raised is the danger that poor customers will have their bank accounts raided, especially if they have to rely upon SMS 2FA because they do not possess a smartphone. Whilst these customers also need to be given adequate means to access the same online services, we must understand the full context of what it means to be a poor customer. A knee-jerk demand that everyone be expected to present an increasing amount of photo ID in order to change their SIM is not in the best interests of poor customers either. Poor British customers are least likely to possess photo ID. In the UK and USA, black people are less likely to have photo ID than white people. The UK is having a vigorous debate about whether it is appropriate to ask voters to present photo ID and this has long been an issue in the USA. It seems strange that we would worry about whether a poor person can vote once every few years, but not whether they can obtain access to telecommunications and internet services on a daily basis.
I would argue that the fairest approach involves setting authentication requirements relative to the value of the account being protected. Whilst a prepaid phone account may be important to its rightful owner, it holds little interest for criminals. Most fraudsters want to get access to bank accounts with plenty of money in them, whilst a few seek to embarrass famous people. Hence the security burden should be set relative to the wealth coming under attack.
Businesses look at the cost-benefit equation before deciding how much to spend on securing their customers. Passwords are super weak, especially now because of data breaches, but they are also super cheap. Sending authentication codes by SMS is also weak, and also cheap, which is why many firms choose to use it for their second factor. We can do a lot better, especially by leveraging the mini-computers in our pockets to generate codes that are difficult to break, or by using them to perform biometric scans. Given the choice, some banks would rather take the cheaper options whilst hoping telcos get the blame for the rise in SIM swap frauds, even though the actual number of fraudulent SIM swaps is low.
There are not many fraudsters with the sophistication to generate thousands of pounds of profit by taking control of a phone account, but they can transfer that amount of cash from a bank account within minutes. The onus should be on banks to implement security that is proportionate to the customer’s assets, and that means doing more than relying on a simplistic assumption that the person who reads an SMS is the same as the person whose name is on the bank account.