Financial institutions need a secure identity verification system that guarantees the identity of the person on the other side of their smartphone making a transaction.
Our Caller ID spoofing, one of the most sophisticated frauds of the moment, proves the weakness of verification SMS against the cybercrime advance
Since the development of digital technology, wireless communication and artificial intelligence made it smart, the mobile phone has become so useful that it is already a staple object. More than 5.22 billion people, that is, 66.6% of the world’s population uses at least one mobile phone, according to the latest annual report from We Are Social and Hootsuite on digital trends. By becoming so widely used, our smartphones also become a source of risk. In them we keep a lot of private information and we “centralise” many equally sensitive activities, such as online purchases, bank transfers and those SMS authentication that we do for these two. Consequently, this privileged use of our smartphones has stimulated the most sophisticated cybercrime.
Recent alerts point to the rise of SIM swapping. By “social engineering” (ie, cheating or psychological manipulation of individuals and companies), the scammer “duplicates” our phone number and gains access to endless data, apps and personal operations. Deep down, SIM swapping is part of a larger scam that leads to the theft of other personal data and information, as Carlos Vico, lieutenant of the Civil Guard technological crimes group, explained in a statement for the newspaper El País.
How does this cyber attack work? By phishing, the dark web or other methods such as fraudulent calls, the scammer obtains enough personal information to impersonate us, deceive our telephone company and request a duplicate of our SIM card, claiming its loss, theft or breakage. Sometimes, the duplicate is obtained even by bribes to employees of the telephone operator or by the misuse of the network. Once the duplicate is obtained, the genuine SIM card of the victim is deactivated. Meanwhile, the scammer installs the copy on a device under his/her control and the show starts here. With the SIM card available, the scammer receives and circumvents all SMS authentication and verification sent to the spoofed number. And thus, with them, and together with the personal information obtained, he/she can change the passwords of our digital profiles, create and authenticate new ones, authorise online purchases on our behalf or execute bank transactions with our accounts.
Allison Nixon, an American expert in cybersecurity, has explained to many media in her country that the problem lies in the confident use of the telephone number as an identity authenticator. SMS and automated confirmation calls offer a very practical, simple and immediate verification, generating a very beneficial user experience for both clients and companies. However, SIM swapping has shown that it is an “Achilles heel” for two-factor authentication (2FA) processes, as Bruce Schneier, an expert in technological security, had already been warning since 2015.
Actress Jessica Alba and other Internet celebrities such as Shane Dawson or Amanda Cerny have been victims of SIM swapping. Jack Dorsey, Twitter CEO, has also suffered from this cyberattack. In these cases, the hackers accessed private communications or posted offensive messages on their social networks. However, any unknown person can also suffer it, and with very different consequences. This is the case of Otto Más, a Spanish philologist who had 1,300 euros extracted from his account in September 2019. Or Gregg Bennett, an American businessman who in April 2019 lost 100 bitcoins worth half a million dollars.
Many experts point out that SIM swapping is a very organised strategy and difficult to dismantle, especially because of the social engineering that scammers know how to handle. For citizens, the solution is to protect ourselves with certain habits, such as not providing personal information in unexpected and suspicious calls, even if they seem to know about us or say they come from our immediate circle. The most obvious sign of suffering SIM swapping is an inexplicable loss of signal and coverage on our mobile phone; at that point, the scammer may have already duplicated your SIM card.
However, companies and organisations, also responsible for the cybersecurity of their customers and users, have to opt for the most qualified tools and services to verify identity accurately, as many of their products, services, processes and communications, like requesting a new SIM, are moved to the web and smartphones. To prevent and detect fraud through SIM swapping, companies must strengthen their Know Your Costumer (KYC) policies. It is about organisations collecting all kinds of information about the client in their onboarding process (registration process in which the user is welcomed by the organisation). These records allow to know the new client in depth, being able to later consult with him all that information as a verification method. But not only that; it’s also about creating a profile and tracking your behavior as you trade with the company. Thus, the moment a scammer provides information that does not match the records, or requests a digital transaction that is unusual for the owner, the company will block the customer’s services to prevent possible fraud.
It is then that companies can interpose stricter security controls than SMS verification, in order to restore confidence in the customer and in their digital demand. The most widely used options today are fingerprints or face biometric recognition, or confirmations through unique digital certificates that can only be installed on one device and that, therefore, can only be possessed by the real client on their Smartphone or computer.
For cases where a high or very high level of security is required for the transaction, companies can opt for “video identification”, currently the stronger identity verification method available.
Indeed, “video identification” (or videoID® for short) is the perfect checkmate against SIM swapping, and is equally useful both for issuing duplicate SIM cards and for verifying online contracting operations with telephone operators or telecos. Through a video call, this solution recreates the usual physical and face-to-face verification. It is even more reliable than the traditional method and in just three minutes, the “video identification” applies simultaneously and immediately various security controls, both technological and human, which allows to detect phishing instantly and achieve virtual verification more reliable than in a physical or face-to-face situation.
In the first place, it is a video call that records the user’s voice, face, live behavior, some of his/her official identity documents and the exact time and place where he/she is during the video call; too much evidence to deter scammers. In addition, algorithms against deep fake will alert the company to manipulated video calls. Next, the videoID solves the failures that may arise due to human error or the incompetence of those employees who do not really know how to authenticate a Spanish ID Card. In the “video identification”, the identity card shown to the camera will be double analysed to reassure its validity: by means of a scan with artificial intelligence (AI) and by the supervision of a “video agent” qualified in identity fraud and trained with police techniques. The same analysis will be carried out when the picture in the card is compared with the user’s face seen on the screen: an intelligent biometric analysis and the “video agent” itself will examine that the images match and that the person accredited by the card is the same as the one that appears in the video call. Without the need to be in offices or branches and without losing human judgment, the company solidly verifies the client and activates the transaction with all the guarantees and registered evidence.
Another additional solution resides in creating agreements between mobile network operators and Trusted Electronic Service Providers (TSPs) that make SIM-related transactions secure. By pooling customer data, from his/her behavior and the device where his/her SIM is stored, any verification obtains enough “intelligence” and sophistication to confirm that the user is who he/she says he/she is. Therefore, if the SIM card duplicate is requested in a store very far from the holder’s home, or if very sudden jumps arise in the geolocation of the SIM card, then companies may find themselves facing possible fraud.
The gist is to create strong electronic identities whose verification does not depend on an SMS, but on various systematic state-of-the-art checks that combine reliability and usability. Currently, technology and digital solutions of TSP like Branddocs are the most advanced alternative to stamp out fraud, integrate “video-identification” in companies and guarantee a digital life with total transparency, confidence and comfort.
- Informe Digital 2021
- Ingeniería social: técnicas utilizadas por los ciberdelincuentes y cómo protegerse. INCIBE. 05/09/2019
- El timo de la SIM duplicada: si su teléfono hace cosas raras, revise la cuenta bancaria. El País. 03/06/2019
- Alerta por una nueva estafa: si tu móvil se queda sin cobertura, podrían haber duplicado tu tarjeta SIM para robar tus datos. La Sexta. 03/06/2019
- LinkedIn Profile of the American Cybersecurity Expert Allison Nixon.
- ‘SIM-Swap’ Scams Expose Risks Of Using Phones For Secondary I.D. NPR. 25/10/2019
- SS7 Phone-Switch Flaw Enabled Surveillance. Schneier on Security blog. 21/08/2015
- Twitter Profile of the technology security expert Bruce Schneier.
- Preventing SIM swap fraud — how GlobalGateway MobileID checks can protect customers. Trulioo. 22/12/2020
- Hackers Hit Twitter C.E.O. Jack Dorsey in a ‘SIM Swap.’ You’re at Risk, Too. The New York Times. 05/09/2019
- Qué es y qué puedes hacer para evitar el ‘SIM swapping’, el ciberataque que causa estragos y que permite vaciar cuentas bancarias. Xataka. 04/10/2020
- Twitter Thread of Otto Más on his SIM swapping attack.
- “Duplicaron mi SIM y me robaron 1.300€”: el fraude del ‘SIM swapping’ vuelve a España. El Confidencial. 10/09/2019
- Tarjetas SIM y redes sociales en mira de ‘hackers’ en Latinoamérica para 2020. Diario Libre. 19/11/2019
- Demonstration Video of a telephone fraud by INCIBE.
- FAQs on electronic trust services by the Ministry of Economic Affairs and Digital Transformation.
- Legal Text of the United States of America Congress on the Improving Digital Identity Act of 2020.
- Warning about SIM swapping and how you could become a victim. ABC News.