SIM swapping is the latest category of fraud to hit the national headlines. At the beginning of the year, we saw a major UK bank fall victim of hackers deploying this kind of cyberattack. It occurs when security codes sent via text are intercepted to authorise payments on behalf of the actual account holders. Gabriel Hopkins, Vice President of Fraud Product Management, at FICO explains how SIM swap works and what financial institutions can do to mitigate the risk.
When a credit or debit card transaction is deemed suspicious, banks send customers an SMS alert, asking them to confirm if the transaction was genuine. The customer simply needs to respond to the SMS to confirm this, without having to speak to an operator in a call centre. Due to its convenience, this has now become a very common method used by banks to beef up the security of customer transactions.
Unfortunately, there are vulnerabilities that allow SMS to be exploited by criminals. Both consumers and telecommunications providers have proved susceptible to social engineering. With enough information fraudsters can impersonate customers well enough to persuade telco’s to hand over SIM and telephone information to them, they then takeover the account.
There are also weaknesses in the technology behind SMS. These lie primarily in a set of protocols developed in 1975, known as ‘Signalling System No. 7’ (SS7). SS7 allows network providers to transfer data between themselves and is widely used for legitimate purposes. However, the age and open nature of the protocol means that it is vulnerable to abuse by fraudsters posing as network providers.
Once they’ve successfully hacked into the network control centre, calls and messages can then be diverted to a mobile phone of their choice.
Whether an account has been taken over or communications intercepted the end result is the same; sending an SMS to a customer gives no guarantee that they have received it or that a response has come from them.
Why it’s not yet time to abandon SMS
In light of the issues suffered at Metro Bank, other financial institutions may be reconsidering their use of SMS as an authentication method. However, doing away with this method might be unnecessary and could result in customer dissatisfaction in other areas.
FICO recently commissioned a survey across four European countries to gather consumer preferences around authentication methods – under Payment Services Directive 2 (PSD2), Strong Customer Authentication for payment requests will be required more often. Respondents were asked which method they prefer when making an online payment that prompts an additional layer of authentication.
In general, the survey results show that to create a satisfactory customer experience, financial institutions should offer a range of authentication methods to users.
However, looking at the league table of authentication methods (Fig 1), a passcode sent to a mobile phone by text message was the clear winner. In a competitive marketplace where customer experience is key, financial institutions can’t afford to ignore their users’ preference.
Mitigate the risks of SMS-based authentication
Presuming an SMS has been delivered to a legitimate customer every time would be a mistake, given the insecurities outlined above. However, it is possible to mitigate the risk of interception using analytics to assess the behaviour of a customer and their devices.
By assessing data collected from the mobile, the network provider and the behaviour of the customer, financial institutions can identify in real time cases that are suspicious and use other methods to authenticate those transactions. These data points could include the date the customer last changed their phone number, password, or email, and any changes in the way they’re connecting to networks – for example where, what time, and how often. Through subsequent data analysis, anomalies that indicate fraud can be spotted.
Once an anomaly is spotted, a transaction could be put on hold until the customer in question is able to verify their identity through another authentication channel – for example, biometric or email confirmation. This way, customers are protected without being forced to use a less convenient communication channel.
The growing SIM swapping problem needs addressing, but if banks are to keep customers happy then doing so should not come at the cost of convenience. Intelligent risk analysis is the way to make this possible.