By now, you might already know that SIM swap fraud is a major problem that can’t be ignored. It’s on most fraud executives’ radars, not to mention in the news nearly every other week. According to the Wall Street Journal, investigators say they know of more than 3,000 SIM-jacking victims, accounting for $70 million in losses nationwide (the real numbers are likely much higher considering that many cases go unreported).
Congress is also getting involved to battle this epidemic. Earlier this month, Senator Ron Wyden published a letter to FCC chairman Ajit Pai calling on him to take action to protect consumers against number porting (a.k.a. SIM swap) scams. In Canada, the CRTC also issued a similar letter to the Canadian Wireless Telecommunications Association echoing these concerns. On top of all this, Princeton just released a study finding that top U.S. mobile carriers were vulnerable to SIM swapping tactics.
Now you know that SIM swap fraud is a serious threat to you, your company, and your customers.
A different way of looking at SIM swap fraud
The focus of the Princeton study, Senator Wyden’s letter, and really most of what has been written on the internet about SIM swap fraud has been the role that mobile carriers play in attackers carrying out fraud. As evidenced in these writeups, the step where hackers dupe customer service agents into swapping their SIMs is vital to the attack being successful. But it’s also very difficult to prevent because it involves humans, and specifically customer service agents, who are trained to be as helpful as possible. But upon further inspection, this step is not where the actual damage is done.
In most cases, the actual damage – theft of funds, hijacking of a social media account, or theft of cryptocurrency – occurs after the fraudster actually goes to log into the victim’s accounts using the phone number he has just taken over. So technically, just taking over your phone number is not enough. In order to really inflict damage, a fraudster also needs to log into your accounts.
An opportunity to stop SIM swap fraud in its tracks
This is where Payfone’s patented Phone Intelligence comes into play. When the fraudster goes to log into the victim’s account, the business (whether it be a bank, crypto platform, social media platform, or other kind of enterprise) can use Phone Intelligence to detect that a SIM swap has taken place and block the fraudster from taking nefarious actions.
Consider this scenario involving a cryptocurrency exchange:
1) Fraudster steals username/password of victim and logs into cryptocurrency exchange.
2) Fraudster takes over victim’s phone number through a SIM swap attack.
3) With Payfone enabled, the cryptocurrency exchange can call our APIs to see if a SIM swap has occurred on that account.
4) If a SIM swap has occurred, the cryptocurrency exchange routes the user to further inspection before granting them access to the account.
5) Because accounts can be locked before any damage can be done, the cryptocurrency exchange is able to shut down hackers before they can do harm, safeguarding their users’ cryptocurrency.
Why CX and digital executives should also take note
From a customer experience standpoint, Phone Intelligence has the additional benefit of creating a more seamless experience for legitimate users. Since many SIM swaps are legitimate (in 2018, there were 90 million ports and 100 million device upgrades in the U.S.), simply detecting SIM swaps and hitting anyone who has swapped their SIM with a ton of friction can be significantly damaging to your customers’ experience and, in turn, customer satisfaction. Enterprises must be careful not to slow down the experience for customers who may have legitimately ported their numbers or upgraded their devices. By analyzing the contextual behavior and time of a SIM swap, Payfone provides a more sophisticated and nuanced approach to thwarting SIM swap fraud. As a result, you can offer a faster and easier experience for good customers while identifying potential bad actors and subjecting them to further inspection.
It’s also important to note that customers of businesses who do not use Payfone have to jump through considerable hoops if they want to go the DIY route to protect themselves against SIM swap fraud. There are numerous articles that give recommendations on how to do this (calling your mobile carrier, setting up a pincode, then setting up a longer 16-digit pincode, etc.) but not only is this time-consuming, these precautions are totally ineffective when hackers break directly into telecom companies to swap SIMs.
The Bottom Line: Implementing technology that not only safeguards your customers against SIM swap attacks but also betters their experience is an investment. However, it’s an investment that can not only help you avoid losing customers, but also to attract new customers by differentiating your company as one that cares about their security, convenience, and experience.
Want to learn more about protecting your company against SIM swap fraud while also improving your customer experience? Request a free consultation below.
At this point, the bank has a decision to make: every year millions of their customers actually do forget their password and need help. These processes are now automated so that call centers can focus on higher value services for customers. But of course, the OPEX savings and better customer experience don’t outweigh heavy fraud losses due to SIM swaps. So what do the Tier 1 banks do?
(3) The bank pings Payfone’s patented SIM swap technology, and in real time, Payfone is able to tell the bank whether a SIM swap has occurred in the last few hours. Payfone does this by checking the “born on date” of the SIM. If the SIM was recently changed (via a port-out or device swap) then the born-date would be a smoking gun.*
* The likelihood of a high-risk event such as password reset happening at the same time as a SIM change warrants further vetting, so the bank does not send an SMS with a password reset code to the customer/possible fraudster, and instead steps up the transaction.
Simple and powerful, Payfone protects the leading banks, insurers, fintechs and cryptocurrency wallets from SIM swap attacks in real-time for over 100M US consumers. In a recent case, a Tier 1 US bank saw SIM swap fraud drop significantly in real-time after launching Payfone.
We also recently expanded this capability to UK banks as part of a global roll-out.
NEW YORK (September 30, 2019) – SIM swap attacks continue to make headlines, with Twitter CEO Jack Dorsey becoming one of the most famous victims to date when his mobile phone number was taken over last month. Similar scams are rapidly increasing in frequency, impacting high-profile CEOs, Hollywood celebrities, cryptocurrency communities, and everyday people, as criminals take advantage of security loopholes and the vulnerabilities of 2FA (two-factor authentication) to hijack social media accounts or steal money and cryptocurrency by taking over victims’ mobile phone numbers.
Payfone, the world’s leading digital identity authentication provider, today announced that it is taking a stand against SIM swap attacks with real-time SIM swap fraud detection technology that has the power to end these kinds of hacks for even more consumers.
The technology leverages Payfone’s Trust Score™, a real-time measure of identity confidence, and telecom intelligence signals to thwart both SIM swap and device swap fraud in real time. The patented capability is the only technology of its kind that can inform banks, cryptocurrency platforms, social media platforms, and other service providers of suspicious activity related to SIM swaps in real time, allowing them to take action to prevent illegitimate withdrawals and transactions while also making it easy for legitimate customers to transact.
“Businesses and consumers now rely on 2FA to secure our most essential digital services, services that are woven into the fabric of our daily lives,”said Rodger Desai, Chief Executive Officer, Payfone. “It’s critical that we extend our technology to take a stand to fight this national threat.”
To carry out SIM swap fraud, hackers take over a victim’s phone number and exploit weaknesses in 2FA in order to gain access to bank, cryptocurrency, or social media accounts. Without Payfone’s advanced algorithms, enterprises with SIM swap detection technology may have visibility into the fact that a SIM swap has occurred, but they are unable to see when the event took place, which is a major factor when it comes to differentiating fraud from a legitimate transaction. With Payfone’s real-time SIM swap detection algorithms, companies can now not only see that a SIM swap has taken place, but also the proximity of the event to a high-risk transaction (for example, a SIM swap that is immediately followed by a password reset).
In addition to preventing fraudsters from accessing victims’ accounts illegally, Payfone’s patented technology enables a more frictionless and pleasant experience for good customers. Since many SIM swaps are legitimate (in 2018, there were 90 million ports and 100 million device upgrades in the U.S.), enterprises do not want to slow down the experience for customers who may have legitimately ported their numbers or upgraded their devices. By analyzing the contextual behavior and time of a SIM swap, Payfone’s Trust Score can provide a faster and easier experience for good customers while identifying potential bad actors and subjecting them to further inspection.
Enterprises who are interested in protecting their customers against SIM swap fraud via Payfone’s service can visit payfone.com for more information.
Payfone’s award-winning Trust Platform™ and Trust Score™ bring trust to the digital economy by enabling businesses to instantly verify customers while thwarting fraud and cyberattacks in real-time; all within a privacy-first, zero-knowledge framework. Payfone serves 6 of the top 10 US financial institutions, and leading healthcare, insurance, technology and retail companies. Learn more at payfone.com and linkedin.com/company/payfone.