While many industry players across Africa may have been battling SIM swap fraud for several years, this type of fraud is a growing problem globally and a popular security measure put in place to protect digital transactions, one-time-password over SMS, has exposed the vulnerability of a user’s mobile number, giving rise to SIM swap fraud, says Myriad Connect.
Nairobi-Kenya 22/10/2018: SIM swap fraud has plagued mobile users across Africa for years, with Myriad Connect’s recent survey in Kenya revealing that over 90% of Kenyan banking leaders see it as an issue for their organizations and over 25% of respondents had been victims of SIM swap fraud. While in South Africa, the South African Banking Risk Information Centre (SABRIC) reported recently that the incidence of SIM swap fraud has more than doubled in the past year.
“But SIM swap fraud is not limited to Africa,” says Willie, Myriad Connect Director Business Development – Africa. “It is a growing global issue affecting even some of the most sophisticated technologies in the world.”
Willie cites recent examples such as the case in which US entrepreneur Michael Terpin is suing AT&T over an alleged SIM swap that resulted in millions of dollars’ worth of cryptocurrency tokens being stolen from his account; and another incident in which esports star Yiliang ‘Doublelift’ Peng said he lost $200,000 in cryptocurrency in a SIM swap attack.
“A SIM swap, in which criminals manage to get a replacement SIM for a mobile number that does not belong to them, allows the new SIM to supersede the existing one, and gives criminals access to the legitimate user’s information and accounts,” says Willie. “This compromises the victim’s online banking, cryptocurrency or digital financial service accounts and gives SIM swap fraudsters access to all the victim’s online accounts, including email and all social media accounts. In addition to financial losses, this presents the risk of reputational damage and the exposure of sensitive data, and once fraudsters control a user’s accounts, regaining control of them can be complex.”
In the past, the market’s response to the threat of digital transaction fraud has been to introduce authentication measures to protect transactions – often in the form of a one-time-password (OTP) over SMS. Recent research among leading financial services CIOs in Kenya found that 87% of financial services providers deploy OTP via SMS to protect transactions, and consumer research indicates that 71% of consumers have used services that use OTP via SMS to authenticate financial service transactions.
“However, OTP via SMS has long been considered a vulnerable channel for authenticating financial services transactions, as it does not meet strict security standards,” says Willie. “In 2016 the National Institute of Standards and Technology in the US identified that SMS is a risk and that OTP via SMS is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks such as SIM swap. It poses a challenge to providers using the service, as there is no audit trail, opening a door to large-scale fraud through a single point of failure.”
Organizations and consumers have a false sense of security when it comes to using OTP over SMS in addition to a username and password, he notes. “This mode of authentication is vulnerable to SIM swap fraud and many other forms of attack. It can also be vulnerable to man-in-the-middle attacks, SMS can be intercepted, mobile networks can be hacked to receive the OTP SMSes, and call forwarding can be used to divert the OTP SMSes to a fraudster’s phone. Clearly, OTP via SMS is simply not secure enough to protect financial service transactions.”
Myriad Connect, now operating in the Kenyan market, helps address digital transaction fraud with out of band authentication and SIM Swap services that secure digital and mobile transactions and protect consumers and financial services. Myriad Connect’s service is delivered across a host of different channels, including USSD, mobile app and web, protecting consumers’ online accounts, transactions and digital financial services accounts.