SIM swap fraud has been termed as a global threat to institutions and individuals in a recent survey.
In the survey by mobile technology specialist Myriad Connect, 90 per cent of Kenya’s banking leaders have admitted that SIM swap fraud is a threatening issue for their organisations.
The firm states that over 25% (individuals and institutions) of the respondents in the survey had been victims of SIM swap fraud.
“SIM swap fraud is not limited to Africa. It is a growing global issue affecting even some of the most sophisticated technologies in the world,” says Willie Kanyeki, Myriad Connect Director Business Development – Africa.
In South Africa, the South African Banking Risk Information Centre (SABRIC) reported that the incidence of SIM swap fraud has more than doubled in the past year.
In US, an entrepreneur Michael Terpin is suing AT&T over an alleged SIM swap that resulted in millions of dollars’ worth of cryptocurrency tokens being stolen from his account.
In another incident, e-sports star Yiliang ‘Doublelift’ Peng said he lost $200,000 (Ksh20 million)in cryptocurrency in a SIM swap attack.
“A SIM swap, in which criminals manage to get a replacement SIM for a mobile number that does not belong to them, allows the new SIM to supersede the existing one, and gives criminals access to the legitimate user’s information and accounts,” says Kanyeki.
This compromises the victim’s online banking, cryptocurrency or digital financial service accounts and gives SIM swap fraudsters access to all the victim’s online accounts, including email and all social media accounts.
In addition to financial losses, this presents the risk of reputational damage and the exposure of sensitive data, and once fraudsters control a user’s accounts, regaining control of them can be complex.
In the past, the market’s response to the threat of digital transaction fraud has been to introduce authentication measures to protect transactions – often in the form of a one-time-password (OTP) over SMS.
Recent research among leading financial services Chief Information Officers (CIOs) in Kenya found that 87% of financial services providers deploy OTP via SMS to protect transactions. Consumer research indicates that 71% of consumers have used services that use OTP via SMS to authenticate financial service transactions.
“OTP via SMS has long been considered a vulnerable channel for authenticating financial services transactions, as it does not meet strict security standards,” says Willie.
In 2016 the National Institute of Standards and Technology in the US identified that SMS is a risk and that OTP via SMS is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks such as SIM swap.
It poses a challenge to providers using the service, as there is no audit trail, opening a door to large scale fraud through a single point of failure.
“This mode of authentication is vulnerable to SIM swap fraud and many other forms of attack. It can also be vulnerable to man-in-the-middle attacks, SMS can be intercepted, mobile networks can be hacked to receive the OTP SMSes, and call forwarding can be used to divert the OTP SMSes to a fraudster’s phone. Clearly, OTP via SMS is simply not secure enough to protect financial service transactions,” adds Kanyaike.
Do you have a story you want told? Do you know of a sensitive story you would like us to get our hands on? Email your news TIPS to [email protected] Also WhatsApp 0708677607 with your news tips