Mobile technology company Myriad Connect has launched a service to counter the growing threat of SIM-swop fraud.
When a customer lets the operator know their SIM card is damaged, lost or stolen, the current SIM is deactivated and a new one is issued.
But criminal groups and insiders at financial organisations and network operators work together to gather personal data and then pose as contract owners to secure a new SIM. Once activated by the fraudster, they are able to access bank accounts and other sensitive data authenticated through the SIM.
Myriad Connect’s service can help to reduce SIM-swop by providing a realtime check on the SIM, which cannot be tampered with via compromised third parties within an operator or bank.
Using USSD (Unstructured Supplementary Service Data) authentication, no persistent data is held with any third party. This provides a more secure service than current two-factor authentication services, for example using SMS, where data is stored and therefore vulnerable to being intercepted.
A clear audit trail is also established, where the user’s identity is verified by a party external to the transaction.
“Even the National Institute of Standards and Technology in the US has identified that SMS is a risk,” explains Paul Kingsbury, vice-president: business development at Myriad Connect. “It is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks such as SIM-Swap. It poses a challenge for operators as there is no audit trail, opening a door to large scale fraud through a single point of failure.
“The threat from SIM-swop is greatest in regions where mobile banking penetration is highest,” he adds. “Whereas in the UK the typical amount stolen is in the low thousands of pounds, in South Africa there have been a few cases of millions of rand going missing.
“The challenge for banks and operators is how to protect customers not only from criminal gangs, but often invisible, compromised staff.”