The phone number, Mobile Station International Subscriber Directory Number (MSISDN) and Mobile Directory Number (MDN) as it is known in GSM and CDMA respectively, have evolved from a mere identifier of a subscriber in a telephony communication to a unique identifier of a person undertaking a financial transaction. Banks require the phone numbers of their customers not only as a means of communicating with the customers if the need arises or for sale of bank’s products to the customer, but also as a means of identifying the customer when (s)he carries out a financial transaction. Banks now see the phone number as an authentication of the customer’s identity just like the home address and postal code.
This new use of a phone number has, in more ways than one, improved service delivery in the financial sector by improving speed, mobility, accessibility, and general ease of undertaking financial transactions. People, from the comfort of their homes, offices or even on the street, can carry out banking transactions with their mobile phones. Although this can be done through a mobile application, without the mobile number as an identifier, but transactions have become even easier using SMS and USSD, which only rely on the mobile number as the identifier.
The use of mobile applications for banking transactions is reliant on the availability of cheap, fast and secure internet service. This may be taken for granted in some countries, but in countries where 3G/4G penetration is low, the internet services on the mobile phone may not be the ideal mobile banking enabler. Banks in Africa and South Asia have built mobile banking and mobile money services on USSD platforms and this has brought tremendous growth in volume and value of transactions undertaken by their customers, and consequently increased revenue for the banks. Phone numbers have also been used as identifiers for virtual currency transactions in more advanced markets.
Vulnerability of the MSISDN/MDN as an Identifier
There have been risks associated with the use of the MSISDN for GSM transactions before the advent of mobile banking and mobile money. Two of the known risks are explained below:
- Phone Number Spoofing
Phone number spoofing, also know as Caller ID spoofing, is the practice of causing the telephone network to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. The phone number of the caller is different from the caller ID displayed on the receiver’s device. It is done with the intent of deceiving the call receiver into believing the caller is who he/she is not or that the call is originating from a device or destination that it is not. For instance, Party A (Caller) spoofs the phone number of Party B’s (Receiver) bank. Caller calls Receiver and receiver believes the call must be from his bank, as it is a familiar number. Telemarketers also use spoofing to evade detection by the recipient of the call or an anti-spam application.
In another example, the caller can spoof an international number making the receiver believe the call is from an international destination, whereas it is a local call.
- Refiling (International bypass fraud)
This is like spoofing. While spoofing is associated with an individual call primarily intent on deceiving the receiver into believing the origin of the call, refiling is actually a fraud against the mobile network done on a commercial scale. The incentive for refiling exist where there is a difference between the local and international rates thereby creating an arbitrage (I’ll write more about this in another article). The fraudster superimposes a local number on an international call and presents it to the mobile network and the receiver as a local call, thereby robbing the mobile network of a higher revenue from international call termination.
Spoofing and refiling are done by someone with connectivity to the mobile network at the signalling (ISDN) level. This can be traced back to the source, as the connectivity trunk is known to the mobile operator.
SIM Swap Fraud
SIM Swap fraud is a type of identity theft whereby fraudsters pretends to be the owner of a targeted phone number. They contact the mobile service provider saying their SIM cards are lost, and present the necessary information required for the phone numbers to be transferred to a new SIM in their possession. If successful, they then assume the identity the phone number represents, and with it all the privileges it accords the victim: including access to social media accounts, emails, mobile money, and bank accounts. Of course, there may be other levels of authentication required to gain full access to the victim’s bank account, but once the fraudsters are in possession of the phone number, access can be gained to other authentication means through phishing, password change etc.
In an August 21, 2017 New York Times article (Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency), Nathaniel Popper stated that ‘in a growing number of online attackers, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers’.
Similar stories have been recorded in Canada, where after swapping of the SIM, the fraudster does a reset of the victim’s Paypal account – the reset PIN is sent to the phone number which is now in the possession of the fraudster.
Who is to Blame?
In a paper I presented to the Nigeria electronic Fraud Forum (NeFF), a project by the Central Bank of Nigeria aimed at finding an industry solution to the emerging fraud risk, I opined that this problem is not primarily a telecoms problem but a financial service industry problem. The reason being:
- The MSISDN was not designed as a secure means of identifying financial transactions. In the telecommunications industry, billing of call transactions is authenticated using IMSI and interconnect trunk which are more secure identities of an individual subscriber and a partner network respectively. The financial services and other industries are latched on to the MSISDN without assessing the vulnerability.
- The theft of the mobile phone number is not the end which the fraudster seeks, rather a means to an end. At worst, the SIM swap is a predicated offence to the actual crime of theft of money from a bank or virtual currency account.
- Except where a telco operates a mobile money license, the financial loss is usually on the bank and its customers.
Despite the reasons for Telcos to not be concerned, Telcos face a reputational risk. Customers tend to see the primary service provider in such complicated transactions as their first line of support and when that fails, the blame is put squarely at their doorstep.
Where do we go from here?
- a) Stop the use of mobile number has an identifier:
This will not be an easy solution as mobile phone number, despite its vulnerability, it remains a relatively safe, non-evasive identifier and easily remembered identifier and since is being initiated from a mobile device, using the phone number attached to that device does make for ease of transaction.
As a backup identifier for email and social media accounts, it is easy to remember and access.
Also, the use of USSD as a means of delivering banking services as been embraced by many in developing countries and this may not stop soon.
Stopping the use of mobile number is not the solution then. For mobile banking transactions, it can be combined with another level of authentication like the device identifier (IMEI) or the SIM identifier (IMSI) to further secure the transaction.
- b) Vigilance by the customer:
The customer has a duty of care towards his/her own property. (S)he must do everything reasonable to protect this property. To limit or eliminate loss as a result of SIM swap, once a customer notices a loss of mobile phone service on his phone, (s)he must contact his/her service provider as soon as possible. If their SIM has been swapped, the customer can alert the service provider of this. The customer can also contact their bank to prevent any transaction from being processed until the issue is resolved.
- c) Improved SIM Swap Controls:
For security reasons, that even go beyond theft of mobile number for the purpose of robbing the victim of his bank balance, regulators have become increasingly demanding of telcos to improve controls around SIM swap. Telcos are investing in their people and improving their processes to meet up with the regulatory requirements on SIM swap while striving to meet the legitimate SIM swap needs of honest subscribers. Some of these controls include;
- Presentation of documents, in person, at a telco shop to support ownership of missing SIM.
- 48 hours cooling period before any banking transaction after a swap.
- Creating a SIM swap database that financial institution can be granted access to. The banks can then ensure the cooling period is observed.
- Including email notifications as part of the swap process.
- d) Industry Collaboration:
The most sustainable solution to this problem is a collaboration between the telecoms and financial services industries to produce a solution for their customer. The effort by NeFF in Nigeria has not only helped both industries in understanding the risks in the operations and services but also brought the together to design a solution that will be mutually beneficial.
If you have a question about the article, please contact the author, firstname.lastname@example.org
DISCLAIMER: Comments expressed here do not reflect the opinions of FraudXpose or any employee thereof.