About a year ago, André Tenreiro was invited to a meeting between the CEO of the telecommunications company he worked for—one of the largest in Mozambique—and the head of the largest bank in the country. the language. The latter have seen an increasing pattern of so-called fraud SIM swap attackswhere hackers trick or hack into a phone company employee change SIM card associated with the victim’s phone number. The attackers use the stolen number to access banking or other online accounts. According to Tenreiro, the bank has seen more than 17 SIM swap scams every month. The problem is getting worse.
“The man from the bank, I can see in his face that he is desperate. He wants to do something but he doesn’t know what to do,” said Tenreiro, who asked WIRED not to identify the phone he works for. “You are asking for our help. As mobile operators, we also have a responsibility to fight this fraud.”
SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim’s banking credentials, or by using a phone number as a password reset. So the phone company, Tenreiro said, offers a straightforward fix: the carrier will set up a system to let the phone records the bank’s request for any recent SIM swaps associated with the bank account before they make a money transfer. . If the SIM swap has taken place in, say, the last two or three days, the transfer will be blocked. Because SIM swap victims can typically find out within minutes that their phone has been disabled, that time window allows them to report the crime before fraudsters can take advantage.
As of August 2018, Mozambique’s largest bank is conducting SIM swap checks with all major carriers. “It reduced their exchange SIM fraud to zero overnight,” said Tenreiro, who serves on the Mozambique Computer Emergency Preparedness Team, and talked about fixing SIM swap fraud at the Kaspersky Security Analyst Conference earlier this month.
Mozambique is not alone in implementing that reform for the growing epidemic of SIM swap fraud, which is increasingly being used for everything from hacking Instagram accounts to stealing cryptocurrency. According to WIRED’s interviews with security agencies and executives at banks and telecommunications companies, companies in other countries across Africa, including Nigeria, South Africa, and Kenya—where The evolution of mobile payments has made SIM swaps an even more serious threat — put the same. carrier-checked repairs in place. So is the UK and Australia. But there is one country where experts say reform is not taking hold: the US.
“This is something where Africa is ahead of us,” said Allison Nixon, director of security research at security firm Flashpoint. “It’s something people are asking for in the US, but no one has stepped forward to do it.”
Some security firms and banking executives point to US transfers as the main obstacle. They simply don’t make real-time SIM swap data available for the kind of security checks other national banks have implemented. In fact, security company Telesign has come to offer SIM swap fraud detection to US banks, but has found that most US phone companies have not been willing to work with them.
“Long story short, data is not available from many US carriers,” says Stacey Stubblefield, founder of Telesign. He said only one US phone carrier has offered real-time SIM swap data but declined to say what.
Stubblefield admits it’s hard to know what banks’ deals or other SIM swap attack targets may have intercepted with private transfers. Stakeholders are tight-lipped about their solutions, in part to avoid providing any clues that could help terrorists bypass their security systems. But Stubblefield is confident however that carriers don’t provide enough data to allow real-time SIM swap checks in the US. But Stubblefield said Telesign is in talks with two banks seeking that data — a sure sign they don’t already have it.
Seven major US banks jointly have a security company called Early Warning, which like Telesign works to provide banks with data that can help them avoid fraud. “Information evangelist” Hal Granoff of Early Warning said authorities did in fact provide some of that data to Early Warning and its owners. But he declined to specify which type and admitted that he wished they would go further. “They’re sharing information,” Granoff said. “They can do more sharing.”
When WIRED reached out to the four major U.S. carriers, all either declined to answer on the record or referred questions to CITA, the telecommunications industry association. CTIA Vice President for Technology and Cybersecurity John Marinho argued that while US carriers may not offer real-time SIM swap checks, that’s partly because the US has other safeguards, like voice-based geolocation checks mobile application of banks installed on smartphones, and two-factor authentication. (The latter, of course, is correct SIM protection measure swaps attempts to bypass.)
“Security uses many levels and tools to reduce risks; you can’t focus on one tool. There is no silver bullet, you have to use all the tools available,” Marinho wrote in an email. “But carriers, in collaboration with many big brands, cooperate closely to ensure that they are in front of the bad guys to protect consumers from fraud.”
Marinho added that US carriers are prevented from sharing real-time SIM swap data in part by problems of scale. US banks, he said, deal with many users making multiple transactions to check them all against the carrier’s data. Privacy represents a concern, too. Carriers are expected to give any third-party real-time data about users without express opt-out permission. “Are the carriers watching news churn? Yes,” Marinho wrote. “But can they share that information in a cavalier way? No. Cars treat privacy and security as top priorities and comply with any applicable laws regarding customer consent.”
A banking company executive who spoke to WIRED and asked not to be named, however, described the situation differently. He ditched the privacy statement and pointed instead to finance: not enough US banks are currently asking for real-time SIM swap data to create an incentive for carriers to sell access to it. “There is no business model for a carrier to develop a system to support this,” he said. “People don’t want to pay what it takes to have the system available. If someone wants to pay them, phone operators are willing to sell their data to anyone.”
To your point, look no further than the scam that the current occupants have completed sales of customer location data to hunter. Historically, they have lived did not show much concern on allow opinion.
Tenreiro, who helped tackle Mozambique’s SIM swap fraud problem, added that it was possible to fix it without privacy contracts. Your vendor simply sets up an API that responds to banks’ inquiries about SIM swap data while providing other information. “All operators are responding with a binary answer ‘Yes/No’ whether the subscriber has done a SIM swap within the last X days,” he said. “We believe that private exposure is minimal.”
There are, of course, Another way to prevent SIM swap fraud: according to the law, technology companies, cryptocurrency companies and banks are not eligible depending on the security of phone numbers. That means avoiding any password reset based on them and using two-factor authentication through apps or apps instead of text messages, as security professionals have recommended for years.
But real-time checks between SIM targeting companies and carriers should be part of the solution, too, Flashpoint’s Nixon said. And if carriers don’t have the incentive to make that possible, he said, regulators may have to intervene. “I don’t know if this problem can be fixed by the private sector. It might be something that the government has to step in and fix,” he said. “I don’t know if the telcos are planning to offer this, or waiting for the government, but something like this has to happen.”
This first story appears on wired.com.