by Mark Clancy
Did you hear the one where a social media account, corporate email account, cryptocurrency wallet, or bank account got stolen -- even when the customer had the two-step authentication using texts turned on?
SIM swap fraud is on the rise - The Guardian
This happens when the bad guys impersonate the customer with their mobile carrier and perform a malicious SIM swap -- or get the phone number ported out of the carrier to an account owned by the fraudster.
SIM swap fraud that leads to an account takeover is actually the same problem twice. The root of this problem is that we don't truly confirm the actual customer intention because there is a lack of strong authorization for each specific transaction:
The first time it occurs is in the mobile carrier, where they don't have strong authorization to confirm the mobile customer intent, which is to actually get a new SIM or to port out their line.
It also occurs a second time at the downstream institution that is relying on SMS text-based authentication, which acts as a weak authorization for the transaction.
The weakness here is assuming that because you had the PIN, you must have wanted to do this transaction. However, the details of the transaction were not part of the explicit approval. You were authenticated with a password, you gave us the PIN we sent, so implicitly we assume this must be what you wanted.
The Bottom of the Lake Scenario
The way the fraudster accomplishes this theft is to socially engineer staff at the mobile carrier to gain access to the victim's account. The fraudster makes a call to customer service saying “I lost my phone at the bottom of the lake and I need a new SIM card to put in my old phone.” They pretend to be the victim by using a combination of personal information, security questions, and account information gathered from phishing emails, texts, or phone calls to the customer or other data breaches.
A common social engineering approach is to text a PIN sent to the customer/victim themselves and then call the customer. “Hi, this is Mark from the XYZ carrier fraud department. There is a problem with your account so we just sent you a one time code to verify your identity. Can you please read it to me?”
Since the PIN does not include any contextual information about the transaction, the customer does not know what activity they are authorizing with the PIN. Now armed with the text message PIN and the account information, the fraudster is able to complete the transaction as if they were the real customer.
What are the characteristics of a good SIM swap fraud prevention solution?
The best way to defend against SIM swap fraud is to add strong authorization to the transaction. This authorization should include details about the specific transaction. In addition, the ideal solution should:
Include tight identity binding between the end-customer and the authorization of the transaction.
Not rely solely on personal data to validate identities.
Integrate identity document scanning and liveness testing as part of the identity verification.
Notify customers prior to initiating the transaction and sending them details of the transaction to confirm. (In case the customer did not actually initiate the transaction in the first place.)
Executing an explicit authorization of the specific transaction -- not just multiple re-authentications at each new step in the process. This keeps the customer informed of the context and ensures an accurate transaction.
Have a process to re-establish the identity of a customer when their phone really is at the bottom of the lake.
Use the same process and tools in all channels. That is, it should work the same way on the phone, in the store, on the web, or in chat sessions.
How does Authoriti’s Permission Code® platform help solve this problem?
The Authoriti Permission Code platform executes one-time identity binding when establishing a private key on the customer’s mobile device. Then enables the Permission Code smart PIN to confirm Identity, Authentication and Authorization for each transaction. The platform:
Integrates with leading Identity verification solutions.
Has pre-built workflow to support Identity verification such as driver’s license scanning and selfies for liveness testing.
Supports push transactions for confirmation by the end customer.
Shows the end-customer the exact transaction being requested.
Embeds the details of the transaction in the signature.
Supports the re-linking of customer identification to the account for the bottom-of-the-lake scenario or initial enrollment.
The Permission Code smart PIN works in all channels. It can be automatically pushed over the web or mobile apps, it can be read aloud on the phone, or it can be scanned at the point of sale. Schedule a meeting and we'll take you for a test run.
Mark Clancy, CEO of Authoriti was previously CISO and VP Cybersecurity at Sprint.