The new e-SIM is already seeing fast adoption in many markets, especially those related to the Internet of Things. Adoption is growing in areas like industrial robotics, asset/inventory management, smart grids, and certain personal devices such as smartwatches. If you’ve read my previous article on the rise of e-SIM technology, you are now aware of some of the revenue assurance risks that will rise along with the business opportunities.
Most network service providers have already begun to explore the impact the e-SIM will have on their organizations, and the new revenue opportunities. But this article focuses on an equally critical area – the impact of risk from a fraud management perspective, which is also closely linked to security.
Security and fraud domains are beginning to interconnect. This is being driven in large part by the switch to IP networks, which makes telecom providers more vulnerable. Network security vulnerabilities originally used by hackers to cause website outages or create other types of havoc are now being exploited to commit telecom fraud.
The GSMA’s Security Accreditation Scheme (SAS) enables mobile operators, regardless of their resources or experience, to assess the security of their UICC and Embedded SIM suppliers. This means there is no way to download applications to the Universal Integrated Circuit Card (UICC) without the consent of the Mobile Network Operators (MNO). At the same time, with so many stakeholders involved (MNO, subscription manager and eUICC manufacturer), if fraud or a security compromise occurs in a eUICC environment, it may be difficult to quickly identify and fix the root cause because it can occur at so many different levels.
It’s not all bad news – especially when it comes to addressing fraud
Moving from physical SIMs to embedded SIMs will reduce the number that fall into the grey market, making it more difficult to use them for fraudulent purposes. As an example, the growing market of SIMbox device manufacturers is expected be directly hit due to non-compliance of the now available GSMA’s evaluation and certification specifications that ensures the various system entities (SM-DP, SM-SR, EUM, eUICC) can all be trusted by each other. At the same time, the GSMA has extended its work to cover security auditing and accreditation of the Embedded UICC suppliers and the providers of subscription management (DP and SR) services. In the near future, I wouldn’t be surprised to see the various stakeholders sharing SIMbox cases with each other.
Another area that we expect to see changes in is how subscription fraud will evolve from an e-Sim perspective, and how these new attacks will be committed by fraudsters. According to the Communications Fraud Control Association (CFCA), identity fraud during the subscription process remains one of the most common methods of telecommunication fraud. It typically involves identity theft or the use of false identification at the point of sale, enabling either the fraudulent use of telecom services, or the use of such services for other fraudulent activities.
If a regular SIM card can be easily removed when a person’s device is stolen or lost, the same doesn’t apply with an e-Sim. In this case a stranger, having disabled all restrictions (unless you are using an iPhone), can use the newly obtained device with a different SIM card and resell it. But this trick will not work with an e-SIM due to the authentication and security measures in place that we’ve already covered. A fraudster is not able to download a new profile without the legitimate owner’s password. Moreover, on each reboot, the device will download the previous profile, making it possible to locate the stranded device. Can you imagine what this means for the car theft industry, since cars themselves will actually become the next generation of so called ‘telecom devices’? I don’t want to write a future chapter of Freakonomics, but I wouldn’t be surprised by a future cause-and-effect created from the needed rise in education amongst car thieves.
In the same category of threat as subscription fraud, SIM cloning is where traditional SIM access is obtained using non-legitimate ways, typically from using hacking software that’s widely available on the internet. This access can then be used as an enabler to commit IRSF, roaming, or traffic pumping fraud.
It’s assumed that the mobile industry has underestimated the value of ‘identity’ and has done a poor job in protecting the real-world physical identity of connected devices and their users from the applications and services to which they are integrated. As an example, we’ve all heard stories that go outside the realm of ‘pure telecoms’ fraud, where members of organized crime obtain an individual’s bank details through a phishing email, or by purchasing personal information from organized crime networks who make this information available on the Dark Web. After opening an account at the same bank as their victim, the fraudster then reports to the service provider that their phone number has been stolen. They are then told that if they are able to answer a few basic security questions, the old SIM will be cancelled and a new one activated. From then on, they can commandeer their victim’s mobile account, intercepting or initiating calls, texts and authorizations, such as those used for cash transfers. They can also request that the phone’s security settings are changed, to stop the victim from gaining access to their stolen account. They can also complete cash transfers from a stranger’s account by accessing one-time pin codes and SMS notifications.
Another thing to keep in mind is that as the IoT grows and the use of e-SIMs explodes, many of these new e-SIM equipped devices are battery-based and one-time-use. They get activated and will work for a number of years – but then people will just throw them away. Think of the variety of devices with e-SIMs that will be disposable. If devices, such as an Apple Watch, end up in a dumpster or a recycling center, there’s a high risk of non-legal re-use, or recalibrating a device previously associated to a person’s identity. If not properly dis-associated from the original owner, the device and its ‘identity’ can remain active in the wrong hands.
But the news is not all bad. In the face of increasingly adaptive and creative data and identity theft methods, the e-Sim can enhance an integrated approach to security by merging the next generation of SIM and device capabilities towards what we call “multi-factor authentication” (MFA). This allows the addition of a second, or even third, factor to the pre-existing security tokens. For example, a unique characteristic or physical trait of the user, like a thumb or fingerprint.
- Something you know, e.g. a password or PIN
- Something you have, e.g. a token or smart card (two-factor authentication)
- Something you are, e.g. biometrics, such as a fingerprint (two- or three-factor authentication)
Because multi-factor authentication security requires multiple means of identification at login, it can be a step towards creating a more secure method for authenticating access to data and applications.
While the e-SIM plays an important role in improving the effectiveness of identity management, it also opens new doors to a fraudster’s creativity. While over-the-air provisioning of operator profiles and allowing all ecosystem participants to connect to an online service might improve usability and convenience, it also opens a door to hacking opportunities that deliver access to private information, trade secrets, and even personal data that can be exposed to a skilled network penetrator and used for fraudulent purposes.