BY VICTOR ADAR
A mobile technology specialist firm, Myriad Connect, has decried a growing problem of SIM swap fraud warning that the scam is now a global threat as many industry players across Africa continue to battle it. The company says that this fraud has plagued mobile users across Africa for years thanks to a recent survey in Kenya revealing that over 90% of Kenyan banking leaders see it as an issue for their organisations.
Worse still, the percentage of people who had been victims of the digital crime stand at over 25, an indication of how bad things are to not only families but also companies. With respect to numbers of the latest victims (and perhaps those who are still green about the existence of the fraud), there is a big risk.
While in South Africa, the Banking Risk Information Centre (SABRIC) reported couple of months back that the incidence of SIM swap fraud has more than doubled in the past year. Stories are told of high profile cases where companies and families lost huge amounts of money after giving sensitive information about their SIM cards. Believe it or not, you are likely to be broke if you don’t know how to save yourself from this irony of digital transactions which are good, but which have infinite challenges.
Do you hold the key to your SIM card, or someone can take advantage and mess you up?
Keeping a close eye on the scam requires that a security measure is put in place to protect digital transactions thanks to what experts call “one-time-password over SMS” that has exposed the vulnerability of a user’s mobile number, giving rise to SIM swap fraud.
“SIM swap fraud is not limited to Africa,” says Willie Kanyeki, Myriad Connect director business development – Africa. “It is a growing global issue affecting even some of the most sophisticated technologies in the world.”
Mr Kanyeki cites recent examples such as the case in which US entrepreneur Michael Terpin is suing AT&T over an alleged SIM swap that resulted in millions of dollars’ worth of cryptocurrency tokens being stolen from his account and another incident in which esports star Yiliang ‘Doublelift’ Peng said he lost $200,000 in cryptocurrency in a SIM swap attack.
“A SIM swap, in which criminals manage to get a replacement SIM for a mobile number that does not belong to them, allows the new SIM to supersede the existing one, and gives criminals access to the legitimate user’s information and accounts,” says Kanyeki. “This compromises the victim’s online banking, cryptocurrency or digital financial service accounts and gives SIM swap fraudsters access to all the victim’s online accounts, including email and all social media accounts. In addition to financial losses, it presents the risk of reputational damage and exposure of sensitive data, and once fraudsters control a user’s accounts, regaining control of it can be complex.”
In the past, the market’s response to the threat of digital transaction fraud has been to introduce authentication measures to protect transactions – often in the form of a one-time-password (OTP) over SMS. Recent research among leading financial services chief information officers in Kenya found that 87% of financial services providers deploy OTP via SMS to protect transactions, and consumer research indicates that 71% of consumers have used services that use OTP via SMS to authenticate financial service transactions.
“OTP via SMS has long been considered a vulnerable channel for authenticating financial services transactions, as it does not meet strict security standards,” says Kanyeki, adding that in 2016 the National Institute of Standards and Technology in the US identified that SMS is a risk and that OTP via SMS is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks such as SIM swap. “It poses a challenge to providers using the service, as there is no audit trail, opening a door to large scale fraud through a single point of failure,” he says”
Organisations and consumers have a false sense of security when it comes to using OTP over SMS in addition to a user name and password, he notes. “This mode of authentication is vulnerable to SIM swap fraud and many other forms of attack. It can also be vulnerable to man-in-the-middle attacks. SMS can be intercepted, mobile networks can be hacked to receive the OTP SMSes, and call forwarding can be used to divert the OTP SMSes to a fraudster’s phone. Clearly, OTP via SMS is simply not secure enough to protect financial service transactions.”
Myriad Connect, now operating in the Kenyan market, helps address digital transaction fraud with out of band authentication and SIM Swap services that secure digital and mobile transactions and protect consumers and financial services. With services delivered across a host of different channels, including USSD, mobile app and web, the mobile technology specialist is keeping a close eye on latest digital threats by providing solutions while
empowering enterprises and mobile network operators.