Combating SIM card fraud with biometrics
By Robert Mungovan
This article first appeared on ITWeb.
SIM cards are currently a vital component of modern-day mobile telecommunications. They not only grant users access to a mobile service, but also allow governments to accurately identify the owner of a mobile device, including who is making phone calls, sending messages, or making financial transactions. Unfortunately, the process for registering SIM cards is increasingly prone to fraud, with a spotlight on Africa as being one of the world’s telecom fraud hubs, losing an estimated 2.2 Billion ZAR every year.
While SIM card fraud is nothing new, it dramatically worsened in the wake of the COVID-19 pandemic. People are conducting activities from their phones at unprecedented volumes and scammers are taking full advantage of this increased usage. With more access to online transactions at our fingertips, comes more access to users’ personal information, and subsequently the margin of vulnerability widens. The sophisticated fraudster is not selective of what information they target, and we’ve seen this play out with fraudulently acquired SIM cards thereby granting them access to even users’ most secure accounts.
Legacy methods to authenticate mobile phone users, such as passwords, are not strong enough to prevent these valuable phone components from falling in the wrong hands. To combat these trends, the SIM card registration and authentication process must be strengthened and in order to truly eliminate SIM card fraud, a new biometrically based solution would facilitate this goal.
Understanding Current Market Challenges
It is anticipated that by 2025, there will be at least 5.9 billion mobile subscribers accounting for 71% of the world’s population. Major South African telecommunications providers, such as Vodacom, MTN, Cell C, Telkom and MVNO, are seeing their subscriber bases increase rapidly, and as the world deals with the fallout of the current pandemic, network traffic and data have been rising as well. With SIM cards forming the backbone of all of this activity, it’s critical that access to them is secure.
While many African countries, notably South Africa, are very well suited to handle mobile activity at this rate, the process used by mobile network companies in the area to register and authenticate SIM card holders is unfortunately prone to fraud and varies very little between providers. As COVID-19 continues to keep people in their homes, hackers have ramped up their SIM-card focused social engineering attacks.
One process, called the SIM Card Swap, involves getting just enough personal information to then call a mobile network provider, impersonate their victim, say they lost their SIM card and ask for a new one. Once completed, they can then use their own phones to access the victim’s personal and financial accounts, leading to massive financial losses for the victim, and presenting a significant challenge to the victim as they attempt to restore their identity. In addition, some fraudsters try a more direct approach of bribing employees to gain access to a SIM card in another person’s name. While risky, this approach is a common one, both over the phone with a mobile network call center employee, and in person at a local branch.
On the whole, the authentication processes used have not evolved to support more secure options that are available. The local network providers continue to rely upon dated security methods such as knowing basic and easily obtained personal information. Should a person want to switch to a provider with stricter security methods, they will likely find themselves without a suitable alternative.
Local telecommunications providers have also been resistant to strengthening their procedures. While identity theft and SIM card fraud can certainly result in a negative reputational impact, the costs associated with these fraudulent acts typically are covered by the end user, and do not impact the company’s bottom line. Nevertheless, with such significant losses resulting from this fraud, and a trend line going in the wrong direction, the time to strengthen the SIM card registration and authentication process is now.
Current Approaches to SIM Card Registration
The existing process for registering a new SIM card traditionally takes place in person. A user interested in signing up for a new phone or mobile device must travel to a local branch and complete the process with a company representative. During this process, the user will provide his/her personal information, which the provider will then keep on file. From this point forward, that person’s personal information will stay tied to that respective SIM card.
Replacing a SIM card, however, can be handled via call center with a designated representative. A person in need of a new SIM card can call up their network provider, provide answers to a few authentication questions, and get a new card sent to them quickly. Once received, they can then access their personal accounts and resume transactions through the chosen device.
The problems with these methods are three-fold.
1.They are fraud-prone. Typical authentication questions used to prove a person’s identity are very easy to steal or discover – a person’s email address or phone number typically suffice and there are no built-in safeguards to protect against situations involving bribery.
2.Current SIM card registration and authentication methods are inconvenient, particularly if they involve visits to a local office or branch. As COVID-19 keeps people away from public places, visiting a branch to register a SIM card is typically low on the priority list.
3.They are expensive. Maintaining call centers and in person branches for registration and subsequent authorization is expensive for providers, not to mention the costs incurred by fraud victims. Any suitable replacement method would be well served addressing these high costs.
All told, for the SIM card registration and replacement processes to be beneficial to all parties—companies and customers—they will need to be far more secure, more convenient for users, and more cost effective for providers.
Leveraging Biometrics to Address SIM Card Fraud
The answer to SIM card fraud can be addressed by biometrics. Biometrics use something you are—your face, voice or iris—instead of something you have, like a password, to grant access to sensitive information and secure accounts. Biometrics can’t be stolen by fraudsters who socially engineer their victims to gain access to their accounts, and typically can’t be “spoofed” by impersonators using masks, photos and the like. They are a fast, convenient and flexible alternative to traditional authentication methods, and can be used to register new users in a more convenient manner as well. Telecommunication and mobile network providers that consider biometrics will have to take a couple factors into consideration before determining what solution may be most appropriate. The following criteria is recommended when selecting if biometrics are the right option for them:
Security:
Security is paramount to keeping user and account information safe. In these uncertain times, there are fraudsters who look to gather information for capital gain. Modern biometric technologies address this by verifying the identities of people, using the unique characteristics of their faces, voices or iris, which can be used to strongly bind an identity to the SIM card. Additionally, modern liveness detection techniques can ensure that the person attempting access is a real living person thus eliminating the possibility of fraud through a presentation attack, usage of an image or a recording of a biometric to spoof the system.
Convenience:
Users want to register and replace their SIM cards quickly and with as little friction as possible. Spending a long time traveling to and waiting in a retail outlet is frustrating and has been exacerbated during the COVID-19 pandemic. Calling and speaking with phone representative to answer authentication questions is less than ideal as well. Biometrics solve these problems by performing highly secure enrollment and passwordless authentication recognition through a mobile device using the camera and microphone built into them. These onboard mobile sensors enable the process of rapid customer onboarding and secure authentication without the need for questions, passwords or other less secure techniques. They also can eliminate the need for in person visits to retail outlets.
Cost Reduction:
By removing the need for in person registration, implementing biometrics can also be cost effective for telcos and mobile network providers who no longer need to staff their local branches for this process. Adoption of a biometric focused onboarding and authentication can also eliminate or reduce the need for maintaining expensive local branches for SIM card registration.
Flexibility:
Any mobile biometrics solution should be prepared to handle the various and changing network conditions and devices used in a particular region. Unreliable network coverage can create problems for network-dependent authentication solutions and loading biometric software functionality entirely on a person’s device can consume device resources. For biometric software to play a role in addressing SIM card fraud, it will need to be flexible enough to offer several configurations for users, including on-device, on-server, web browser based and device agnostic options.
A Mobile Biometric Authentication Solution for the SIM Card Market
It is safe to say that SIM card fraud has become a difficult and expensive problem; a problem that has been exacerbated by COVID-19. With more people using their phones to access banking services to perform online shopping, and work remotely, it’s clear more needs to be done to protect people from socially engineered attacks and subsequent SIM card-related identity theft.
Current SIM card registration and authentication procedures have done little to combat these trends. They continue to rely on fraud-prone, inconvenient, and expensive methodologies. Through the cameras and microphones available on virtually any mobile device, biometrics can be easily integrated into virtually any authentication scenario and can ensure that those registering for and subsequently accessing their SIM cards are truly who they say they are.
For SIM card fraud to become a thing of the past, local providers should seriously consider biometrics as a secure, convenient, cost-effective method to combat the problem. To protect their users and their reputations, mobile network operators in Africa and other regions would be well served to consider biometrics as a way to secure their SIM card registrations and replacement procedures.
Robert M. Mungovan has over 20 years of experience with Aware. Prior to his current role as Chief Commercial Officer, Mr. Mungovan served as Aware’s Vice President of Biometrics and as the Sales and Marketing Manager of Biometrics and Imaging. Before joining Aware Mr. Mungovan held positions in several small companies whose focus was digital imaging and machine vision. His passion of working with customers led him on a gradual path from engineering to sales.
Mr. Mungovan’s first responsibility at Aware was to sell and market an Aware-developed technology for fingerprint image processing. From that initial responsibility he has played an instrumental role in the establishment of Aware as a premier standalone American biometric product company. Mr. Mungovan received his Master’s degree in Business Administration from Boston College, his Master’s degree in Engineering from Worcester Polytechnic Institute, and his Bachelors’ degree in Physics from Boston College.