Today carriers are inundated with SIM swap fraud and are struggling to address consumer attacks in a timely manner.  In 2012, carriers saw a significant increase in SIM swap fraud that utilized number porting.  At that time fraud was focused on device take over for use of the phone capabilities. In 2017 there was another significant increase in fraud.  This spike was due to fraudsters' focus on monetary gain and correlated with the surge in bitcoin value.  Bitcoin is highly coveted by cybercriminals and is notoriously used for illicit activities and money laundering on the darknet.  The fraud will continue as long as there is monetary gain.

What are Service Providers doing to protect your mobile identity? 

Many Service Providers have introduced the concept of a porting pin to prevent porting fraud. This PIN must be provided before the Service Provider will allow a port to occur.  This approach has significantly decreased porting fraud but has yet to eliminate the problem.  Not all service providers have implemented the porting PIN and it does not work in all cases.   

To avoid putting their customers at risk of personal accounts getting compromised and financial loss, mobile carriers need to be attentive in their authentication practices. 

What action is the FCC taking to protect your mobile identity? 

The FCC’s issued a notice of proposed rulemaking related to protecting consumers from SIM Swap and Port-Out Fraud requiring phone carriers to authenticate customer’s identity before transferring their number to a new phone. For example, having customers authenticate their identity by offering a pre-established password or getting a one-time password sent via text message, email or phone call.  Carriers will also have to immediately notify customers if a SIM change request is made on their account.  

If customers cannot authenticate their accounts, the provider will not be able to SIM swap phones via these methods. Phone carriers will also have to give customers a “port-freeze” option on their accounts that does not allow for any SIM Swapping.

To date, there is no industry-wide solution

The concept of “port locking” has been discussed in industry forums as early as 2003 and as recently as 2019.  However, this is not a direction being considered today.  

What can you do to protect yourself?

Consumers can log on to the FTC’s  identitytheft.gov website to report theft and learn how to protect themselves. A few immediate actions you can take include: 

• Pay attention to your bill - if you notice anything peculiar, contact your phone company
• Protect your account with a PIN - without this password, your account cannot be accessed. 
• Be on the alert for Phishing Scams - never give financial or other information to unexpected callers. If you’re concerned about an account issue, call the company back and make sure you use a known phone number. 

As victims are experiencing the costs, no consensus has yet been reached on an implementation approach for carriers much less consumers.  If you are a victim, Identitytheft.gov provides resources including step-by-step instructions to guide victims through the recovery process. 

Get insights into what happens when fraudsters steal your mobile identity by reading our Mobile Identity Nightmare - Attack blog. 

Now that Bob knows he has been attacked, how does he attempt to recover his identity?

Recovery from the Attack

• Bob begins by trying to reach customer support centers at his financial institutions, but couldn’t reach anyone who could help.
• He could find no way to quickly reach anyone at Google support after hours via phone or email.
• Initially, the wireless carrier customer service center was unable to help.  Being telecom savvy, Bob was persistent in escalating to get to someone who could help. 
• Bob had an extra SIM card in the office that he could use to move his number back to his own mobile device.
• It took Bob over an hour to regain control of his phone number working with his backup SIM card.
• Bob lost control of Gmail for over 2 hours before he was able to get Google to shut down his account. 
• Unfortunately, hacked Gmail accounts are considered poisoned by Google, and can not be recovered.  With no backup, Bob lost years of emails and pictures of his family due to the incident.

The Damage is Done

While the average person may not be aware of SIM swap fraud, much less how to prevent it, Bob was fortunate in that his knowledge allowed him to quickly regain his phone number and limit his damages.  He lost his Gmail account but had no financial loss and was not personally attacked.  Bob is not alone.  Attacks occur every day around the world.  

What is being done about this?

What happens when fraudsters steal your mobile identity by committing Porting or SIM swap fraud?  The following is a true real-life example of SIM swap fraud.  This attack happened to “Bob”, a key employee of a security and risk prevention company.   

The Fraudster Attacks

• The fraudster initiated a swap of Bob’s mobile phone number to a different phone/SIM.
• Bob had a pin code on his account to presumably prevent any activity with his mobile number but the wireless carrier allowed a one-time exception. 
• The swap was completed on a Friday night just before retail customer service centers closed allowing the fraudster more time to exploit Bob’s identity before he became aware. 
• Once in control of the mobile phone number, the fraudster reset Bob’s Gmail password to gain full access utilizing two-factor authentication involving a text message sent to the mobile phone.
• The fraudster reset not only the Gmail password but the mobile phone number associated with the account to a different phone number, locking anyone else out of the account. 
• With access to Bob’s Gmail the fraudster quickly data-mined the email for banking information (e.g., US Bank, Wells Fargo, Paypal, Coinbase, etc.)
• Using Bob’s email as the username to target banking and bitcoin accounts, the fraudster systematically attacked for password resets via two-factor authentication.

The Fraud is Discovered

Bob realizes he has been attacked when he can’t use his phone to make a call.  Then he realizes he can’t access his email.

How does he recover? 

Read our next blog “Mobile Identity Nightmare - Response”

Phone numbers are used for more than reaching someone via voice or text, they are increasingly used to validate a subscriber's identity for account access.  Fraudsters have recognized this and are exploiting the increasing use of mobile phone numbers for identity.  

Criminals are utilizing number portability and SIM swap fraud to take control of a consumer’s phone to gain access to their personal and financial information. 

Today, these fraudsters use a variety of approaches including asking “their” wireless provider to replace a “lost” phone.  It is also relatively easy with some knowledge of the subscriber's personal information to port the phone number to a new account and be issued a phone with a new SIM.

These fraudsters, once in possession of the new phone, work quickly to invade websites and bank accounts, in most cases utilizing two-factor authentication, to steal credentials and capture one-time links, authentication codes, and passwords sent via text.  Once identity is verified, the criminals go after personal and financial information.  While mobile phones are primarily the target, wireline phones are not immune from attack. 

SIM Swap and Porting fraud are on the rise with damages to individuals, banks, and corporations worldwide.  

What does an attack look like? 

Read our next blog “Mobile Identity Nightmare - Attack”

The telecom industry has been slow to change, and now several forces have come together to reshape the industry in a profound manner. As communications service providers navigate these shifts and use the changes to create a competitive advantage, competition between providers becomes increasingly turbulent.  

The industry has generated a need for customer-focused services and greater productivity. Shifts in industry structure are now based on offering new value and ensuring that communication and content services become digital. Let’s take a look into a few trends that are reshaping and changing the Telecom landscape. 

• 5G Network: 5G is already being used in transportation, education, and healthcare environments. As our wireless networks become more critical due to higher dependency by people, many telecom companies turn to and are investing in 5G as a way to provide the public with the most effective network. 
• Cloud Computing: Cloud computing is helping telecom companies thrive and provide better services in this shifting landscape by ensuring high scalability, helping to guarantee resilience, and offering quick disaster recovery. Investing in infrastructure to provide more cloud-based applications and sustaining them is something every Telecom company should be investing in to ensure relevancy. 
• Big Data: Big Data helps Telecom companies increase profits and it’s potential is significant in terms of helping to win clients. Only 20% of telecom companies have been deploying big data. Those early adaptors are reaping the benefits of turning data into profitable insights. Big Data projects can be launched in sales and marketing, customer care, competitive intelligence, and network and supply chain optimisation. If you need a competitive advantage - look no further than launching a Big Data project. 
• Internet of things: IoT helps providers of services to provide more excellent means of communication between devices and individuals. IoT is pushing change and helping to create smooth business processes, increased revenue, and defining greater efficiencies. As we continue to understand the need for fast and stable connectivity as Internet-connected devices become more prevalent  and gain more insights into how IoT makes it possible for telecom suppliers to track the different communications bases remotely - we must continue to explore new ways of using the Internet of Things and stay ahead of the game. 

Launching new solutions, adapting existing business models, and network infrastructure upgrades are inevitable for telecommunication companies interested in staying viable and growth-driven in the post-pandemic environment.

The landscape is changing and it is changing fast. Make sure your company is growing with it. 

The explosive growth in digital engagement has also led to an undesirable outcome: a sharp increase in cyber fraud. Identity fraud—derived on the back of credentials stolen through a massive number of phishing attacks—has gone up significantly compared to previous years. SIM swaps and account takeovers are now more common than ever before.

• 20% increase in account takeover incidents in financial service in 2020 from previous year
• $56 Billion in financial losses due to identity fraud in the US in 2020
• $436 Million in fraud losses reported in the US where the contact method used by scammers was a phone call
• 4X rise in number of SIM swap fraud cases in the UK during the last five years 

To support our customer's efforts to protect their customers, 10x People is adding support for identity verification for account takeover protection including support for GSMA Mobile Connect. GSMA Mobile connect allows Digital Service Providers (DSP) to match the phone number entered by the user with the device accessing the DSP portal.  Mobile Connect has been launched by more than 70 operators around the world.

In addition, 10x People is extending the GSMA Mobile Connect API so that additional information can be supplied to further validate the customer for fraud risk or trust scoring that is leveraged by financial organizations.  

10x People hates cyber fraud just as much as you do.  We can help you protect your customers.  

Contact us at info@10xpeople.com to learn more. 

Sources:  Kaspersky, US FTC, Javelin Strategy & Research, Action Fraud