Comply or cry: are telcos failing to protect their customers from fraud?

Mobile phone users are falling foul of SIM swap scams as telcos go lax on their compliance procedures. How can telcos ensure their customers are protected and they remain conformant?

Despite a raft of legislation binding telcos to protecting their customers from fraud, a great many customers are being swindled by bad actors. Almost a quarter of US citizens have reported losing money to phone scammers in 2021, a situation greatly exacerbated by COVID.

One such case which is on the rise is SIM swap fraud, a disturbingly easy-to-pull-off scam which allows hackers to exploit a loophole in some number portability processes to effectively duplicate a target’s phone number.

To perform, a hacker just needs some personal information pertaining to their victim, obtained through social engineering, phishing, social media, or data breaches, as was the case in February, when 17 parents of students from an Australian school were targeted by SIM swap fraudsters after a list of names and contact details were leaked.

The attacker then contacts the service provider, posing as the victim, and requests a porting over of the victim’s phone number to a new SIM or eSIM. Once compromised, a hacker can then access One Time Passcodes to reset the victim’s passwords and access protected accounts.

The International Mobile Subscriber Identity (IMSI) should make it easy to identify any fraudulently cloned SIMs, the unique identifier from the victim’s number being different from that of the fraudster’s SIM card. This is clearly not happening, however, and the regulators are now having to get involved.

One such example in Australia is Circles.Life, which has been fined almost $200,000 by the Australian Communications and Media Authority (ACMA), having run afoul of fraud regulations by not adequately checking the identity of customers porting numbers from other networks. As a result, 42 people had their email and bank accounts compromised, with at least seven of these losing out financially.

The Singapore-based telco, operating as an MVNO on Optus’ network in Australia since September 2019, failed to properly check phone number transfers for SIM cards purchased in their stores, allowing scammers to fraudulently port over numbers from other telcos without their victims’ knowledge.

As detailed by Circles.Life Australia’s CEO Nicholas Demos to Gizmodo Australia, “we were required to implement a one-time-password verification process for all port-ins... While this was done for all online port-ins, which represent the vast majority of our business, it was not done for port-ins done through our retail channels.”
All compromised phone numbers were restored to their owners, and the required identity checks have now been implemented, with staff appointed to ensure compliance.

Multi-factor identity checks were introduced by ACMA in 2020 as part of a package of new rules to crack down on fraudulent activity, requiring multi-factor authentication to prevent unauthorised access to customers’ phone numbers.

Despite this, many subscribers in Australia, particularly customers of Optus, were falling victim to SIM swap scams, prompting a fresh crackdown and warnings of legal actions against non-compliant telcos.

ACMA declared combating identity theft phone scams to be one of its main priorities for this year and next, its chair Nerida O’Loughlin warning, in the wake of the Circles.Life case, that “Combatting these types of scams requires concerted action by all telcos and one weak link exposes all consumers to harm,” noting that it was “the customers of other telcos who have fallen victim in this case.”

Back in June, ACMA similarly penalised Lycamobile Australia to the tune of $186,480 for not carrying out proper checks when activating prepaid services, on top of a $604,800 hit the telco took last year for failing to provide customer data to the Integrated Public Number Database used by police and emergency services.

Though the required measures were eventually implemented, it’s troubling that these safeguards were overlooked, putting many customers potentially at risk of fraud. Not only to avoid financial penalties, telcos must also self-impose rigorous compliance procedures on their operations to protect their customers from fraud.

With customer service now very much a multi-channel affair, spanning call centres, dealers and various digital portals, apps and chat platforms, it is vital that business processes are consistent and watertight across all customer touchpoints. Any flaw in a patchwork of best-of-breed BSS/OSS applications will leave telcos at the mercy of the fraudsters and facing the wrath of their customers – and regulators too.

Update [24/08/2022]: It was announced today that Vodafone has been forced to pay damages in a landmark SIM-swap legal case after a court declared a “serious breach” of its own security protocols, after a Vodafone customer representative provided a hoaxer posing as a customer with a PAC code to transfer a phone number via online chat.

Update [17/04/2024]: Bleeping Computer have reported that criminals are contacting T-Mobile and Verizon employees to perform SIM swaps, offering $300 to those willing.

Talk to Cerillion now to find out how our pre-integrated product suite delivers not only a faster time to value, but also seamless business processes across all points of customer engagement.