At first glance, it seems so retro. Subscriber Identity Module cards, better known as SIM, used to be an easily removable portable memory chip that acted as the brain of a mobile device. They’re still the brain, and although consumers don’t need to swap them out when they get a new device, SIM cards are still serious business.
In fact, the chips can serve as a link for fraudsters to leverage the SIM card as a means of defrauding unwitting individuals, denying them access to, and draining their bank accounts or running up illicit credit card charges. Not to mention the potential for fraud from messaging apps and the rampant eCommerce fraud that comes with stolen identity in the digital-first economy.
Nothing retro about that. In fact, Rosemary O’Neill, director of customer delivery for NuData Security (in the EU) a Mastercard company, said in an interview with PYMNTS that fighting fraudsters’ sophisticated, high-tech schemes demands several layers of defense that can paint a picture of who is a legitimate customer and who is not.
At a high level, SIM swap fraud involves bad actors using personal data that transfer victims’ cell numbers to their own SIM cards (a key component of mobile devices) in order to gain access to incoming calls, text messages and security prompts, which in turn can be used to gain access to communications that should have gone to the victim. Before delving into how to stop it, it’s worth stopping for some background as to how it happens.
First, scammers access the phone data by getting through two-factor authentication security defenses. To make sure they have the victim’s ID correct, they call or text the phone. Next, the fraudster will call the victim’s mobile carrier, impersonating them and claiming they have lost or damaged the SIM card. Then, they ask for a new SIM card to be activated, and if that happens, the fraudster has unlocked a portal to a treasure trove of information about the victim and his or her contacts.
How are fraudsters able to answer your security questions? That’s where the data they’ve collected on you through phishing emails, malware, the dark web, or social media research becomes useful.
Once they gain access to and control over your cellphone number, fraudsters can then access your phone communications with banks and other organizations — in particular, your text messages. They can then receive any codes or password resets sent to that phone via call or text for any of your accounts. And that’s it: They’re in.
How do they get your money? They might set up a second bank account in your name at your bank because you’re already a customer and there may be fewer robust security checks. Transfers between those accounts in your name might not sound any alarms.
And, according to O’Neill, that access “gives the fraudsters the one-time pass codes and other security [measures] that the banks send to people to let them verify and access their personal accounts.” She noted that — especially in Europe — there’s been a rise in SIM swap fraud, where such incidences have risen by triple-digit percentage rates through the past few years.
Sophisticated Defenses
More recently, she said, criminals have been leveraging this access to make off with cryptocurrencies, demonstrating just how sophisticated social engineering attacks (aided by the theft of SIM cards) are becoming. That means, too, that the defenses raised against those fraudsters have to be more sophisticated. Victims of SIM swaps may only realize their SIM cards have been intercepted and numbers ported onto a different phone when they lose their network access, or they find out that they have lost access to bank accounts. By then it’s too late, even if it’s a few minutes, and the financial damage has been done.
For most financial institutions (FIs), she said, existing lines of defense may be based on static data like passwords, one-time codes or, at a higher level, two-factor identification. But it’s becoming increasingly critical to create additional layers of security — beyond those mere static credentials.
As O’Neill told PYMNTS, efforts to secure users’ data and guard against SIM swap fraud can get a boost from advanced technologies that analyze (via behavioral analytics or passive biometrics) how someone is actually interacting with FIs — in real time.
Analyzing the individual’s online behavior, she said, can help firms (NuData among them) “build up profiles that separate good users from fraudsters.”
Delving into the mechanics, she explained that NuData, through its server-to-server solution, gathers data across several layers of intelligence in a bid to create a holistic view of an FI’s customer. This helps companies realize, even if the credentials and SMS code are correct, that the user’s behavior is inconsistent with past patterns.
One foundational layer of data and analysis rests with “device intelligence,” O’Neill said, seeking to understand if a user’s device or location — indeed their very online connection is known, new or (suspiciously) hidden.
Analyzing Device Intelligence — and More
“By analyzing all of the intelligence from the device, we’re able to create a unique device identifier that recognizes the same information anytime a user comes back,” she told PYMNTS.
A subsequent layer of intelligence is tied to behavioral analytics, which O’Neill said involves examining when a user has started a session on an online platform. NuData evaluates how long it took to complete transactions or interactions and whether the user changed their password (for example) and how long it took them to surf pages.
“We analyze all of these data points in real time, and we’re able to build up a ‘picture’ of that user and compare them against how we expect that user to behave,” she said, with a benchmark gleaned from how other users interact within online environments at an individual and population level.
Having this level of understanding of the online traffic allows companies to let trusted users go through seamlessly and only introduce additional challenges or frictions where warranted.
NuData’s passive biometric layer, used during these real-time evaluations of users, she said, is drawing increased interest from FI clients. This layer enables NuData to focus on what O’Neill called “real-world aspects that help us link back to the user behind the device.”
That’s where the problem starts in the first place — at the device — with the owner of the device and the fraudster looking for a score. In this situation, the fraudster is actually trying to steal more than data. They’re pretending to be someone else while they’re in the act. It’s that behavior that’s unique about SIM fraud, and analyzing that behavior represents the potential solution of the problem.