You Don’t Need a “Silver Bullet”! – Business Case to Preventing SIM-swap Frauds
Often, we believe in deploying sophisticated technology to solve a problem. However, the solution may actually lie in the fundamentals, if you have the eye to look for it.
SIM Swap fraud has been costing the financial ecosystem a significant amount, affecting both consumers and financial institutions. According to the FBI’s IC3 Report, in the US alone, there were 1,075 reported incidents, resulting in losses totaling $48.7 million. Globally, the numbers are staggering, and many countries are still grappling with this fraud.
SIM-swap fraud emerged in the United Arab Emirates towards the end of 2014 and lasted until mid-2018. As one of the leading banks, we unfortunately encountered a couple of these incidents, resulting in substantial losses. The syndicate behind this fraud was well-organized, diligent, and sophisticated. I was quite amazed at the level of due diligence they conducted on their targets.
We worked closely with law enforcement agencies, conducted sting operations, and managed to arrest more than 20 syndicate members, but failed to reach the top layer. This incident will remain one of the handful of cases in my career where we weren’t able to apprehend the syndicate masterminds.
We formed a cross-functional working group with representatives from antifraud, information security, technology, business, and operations teams to address this challenge. We evaluated options to acquire solutions including voice biometrics, physical tokens to prevent such frauds from recurring. However, we realized that implementing new technology would take at least a few months, if not more, and we didn’t have that luxury since the frequency of fraud was high. It’s worth noting that this was in early 2015, and integrating new technologies wasn’t as sophisticated as it is today.
Realizing that we didn’t have many options, we decided to employ the best-known anti-fraud weapon: finding ways to make it harder for these criminals to commit fraud.
So, how did we approach it?
We began by addressing the fundamentals – breaking down the modus operandi layer by layer.
How Does SIM Swap Fraud Work?
Step 1: The fraudster obtains the bank account number and mobile number of the victim.
This information can be acquired through phishing, social engineering, the dark web, or online research. In some instances information had been obtained from victim’s bank itself.
Step 2: The fraudster manipulates the victim’s mobile operator by either impersonating the customer or bribing the mobile operator staff to issue a duplicate SIM on the customer’s number.
Step 3: The fraudster gains access to the victim’s phone number, enabling them to reset login credentials for email and online banking accounts, including MFA codes (OTP). Some banks may also require callers to answer basic security questions, such as the mother’s maiden name, date of birth, address, last transaction, or branch name, which the fraudster may already possess for resetting online banking credentials.
Step 4: The fraudster now has complete access to the victim’s bank accounts, enabling them to transfer funds, make purchases, or avail other financial facilities.
After documenting the modus operandi layer by layer, we began exploring the available controls. As a bank, preventing the theft of customer data was beyond our control. Similarly, we had no influence over the telco operators’ due diligence processes or behavior when issuing replacement SIM cards. In summary, we didn’t have control over steps 1 or 2.
The exploration process required us to look for controls in steps 3 and 4, which were within the bank’s control. We reviewed the information required from customers for enrolling or resetting the online banking process. It typically involved either requesting basic dynamic security questions or sending MFA codes via phone or email. Fraudsters sometimes even tricked or bribed bank staff into divulging some of this information. By now, we knew that these controls weren’t effective, as fraudsters had gained control over them.
So, we started asking ourselves: what is one set of information that only the customer would have and that wouldn’t be available in bank systems, social media, emails, or the dark web? After some brainstorming, we identified two data sets – the CVV number behind the card and the Debit Card PIN “PIN”. These two data sets were available in the bank’s system only in encrypted form. We decided to use the PIN as a single piece of data that only the customer would know. CVV numbers, in those days, could be seen by restaurant staff or during other purchases.
We began deliberating the pros and cons of using the PIN and its compliance with PCI and regulatory guidelines. After brainstorming and determining its suitability, we quickly moved on to implementation.
So, what steps did we take next?
We made process enhancements to the online banking enrollment and resetting process. Now, whenever a customer was required to enroll or reset their online banking credentials, we mandated entering the PIN on both the Call Center IVR and Online Banking platforms. Within a few weeks and almost negligible cost, we reengineered the process flow in our systems.
That was it— the frauds stopped! To this day, no SIM swap incidents have been reported since implementing this change.
One may counter-argue: what if the fraudsters socially engineered the PIN from the customers? The answer is yes, that is possible; however, there are a few things to take into consideration:
Fraudsters are extremely cautious about their Return on Investment (ROI). SIM swap fraud is a high-risk endeavor, and they typically expect higher rewards. It involves the risk of physically visiting telco operator premises, obtaining genuine-looking customer identification documents, employees mules, or bribing bank or telco staff. Hence, their targets are mostly high-balance accounts, including both bank accounts and wallets. Over the years, we’ve learned that customers with substantial account balances may usually share bank details and OTPs during social engineering schemes, but they typically refrain from sharing their PIN due to the perceived risk involved.
Even if a small percentage of customers ended up sharing their PIN, the risk would still be minimized, as the majority of potential victims would not share their PIN. Moreover, it adds another layer to the scheme. Now, the fraudsters would need to compromise at three levels instead of two: data gathering, compromising the telco operator, and persuading the customer as well. If customers sense something suspicious, they may become alert, leading to the fraudsters’ investments being wasted.
The idea was to make the task harder for fraudsters so that they would move on to other institutions that are easier to compromise. What could have taken months or even years was addressed within a few weeks by simplifying our focus on the fundamentals of this fraud scheme.
We shared our secret recipe with the banking fraternity; a few were quick to understand and implement similar controls, while others did it after trial and error and incurring some more losses.
In addition, as an industry, we worked together to implement additional mitigating controls, which took several months, but we ended up with the desired results. Through the UAE’s banking association, we reached out to Telecom Regulators to mandate the use of the UAE’s National ID cards for SIM registration and reissuance. The ‘Emirates ID’ is part of UAE’s Digital Public Infrastructure, equipped with security features such as chips and biometrics. The Telco Regulators understood our argument and supported it by mandating that telco operators must verify the Emirates ID card using the chip and fingerprint reader features. This mandate was the final nail in the coffin. It took some time for the telcos to mandate biometric verification, but now the replacement SIM issuance process is airtight.
Thankfully, SIM swap fraud is no longer a threat in the UAE due to robust preventive measures across the telecom and financial sectors.
Today, there are a handful of tech companies that offer solutions to prevent SIM swap fraud. The above case study can be a quick win if you’re short on time and budget. Sometimes small things can make a big difference!
Posted in: | AF Education |