Science and Tech

Exposed to SIM swapping: it’s time to raise the security bar by granting card duplicates

what is the "supercookie" of TrustPid, how it works and when the new method of online tracking of the operators arrives

Digitization, technological progress and the passing of the years in general have shaped a scenario in which our mobile phone is the ultimate identification for a multitude of services to confirm that we are who we say we are. The electronic DNI has been with us since 2006 and is still nothing close to something simple and universal with which to identify ourselves digitally. We even have the CL@VE service to identify ourselves with our smartphone. In the absence of a card, good is the mobile.

This scenario, quite comfortable and convenient, has a perverse side: leaving us in the hands of the mobile makes anyone who takes control can impersonate us. And it does not have to be physically, it is enough to have a SIM associated with our number. And that is possibly the weakest link in the chain. Where does the SIM come in? swapping.

A SIM with our number = free way in our bank

The passing of the years has also left us with nightmare cases in which an ordinary person was suddenly left without coverage, without an active line (the prelude to horror), to discover shortly after that his bank account had run to zero.

The operator store employee, the weakest link in SIM swapping

All these stories have the epicenter of evil at the moment when someone pretends to be us, usually in a physical store of the operator in question. An employee of the same is the one who must make sure that the ID presented is authentic and the person who delivers it matches the one that appears in the photo of the document, but in practice, on some occasions, this control fails.

Once the identity thief has access to a SIM associated with our mobile phone, and already knows our ID, You have a free hand to access our digital banking requesting the reset of the password, via SMS. The SMS as a beginning and as an end.

The intersection between security and our mobile phone has gone through several phases. 11-M was the trigger to start demanding to identify anyone who wanted to register a telephone number via DNI, then the massive implantation of the mobile phone gave wings to the banks to start replacing the already extinct coordinate cards with the Verification SMS. The rise of the SIM swapping in recent years it should have served to start requiring much stronger security protocols when duplicating SIM cards. Treat this procedure for what it is: a process that if it is not carried out exhaustively, checking the face of the document with the same precision as in a Russian border control, can lead to identity theft that in turn leads to theft and other serious criminal acts.

The move from copper and ADSL to fiber has been beneficial for everyone.  But especially for Telefónica

In 2022, the AEPD (Spanish Agency for Data Protection) fined the four major Spanish operators for not having protected the personal data of its clients with sufficient diligence and not having applied the necessary mechanisms to verify identity of the owner who was requesting a SIM card. Movistar had to pay 900,000 euros, Orange, 700,000; MásMóvil 200,000 and Vodafone 3,940,000.

In the case of the latter, the British operator blamed the criminals and their employees for having committed human errors, but the AEPD understood that the company acted negligently by taking corrective measures only when the investigation began.

The consequences were transfers from their bank account or money transfers through Bizum for amounts of up to 30,000 euros (up to 500 in the case of Bizum) and obtaining loans for up to 43,000 euros in the name of another person.

As a result of that, several operators decided to take measures hand in hand with the sanctioning body: the AEPD approved the creation of a ‘Self-control code of conduct for data processing in advertising activity‘ to which Movistar, Tuenti, O2, Orange, Jazztel, Amena, Simyo, Vodafone, Lowi, Ono, Másmóvil, Yoigo, Lebara, Llamaya, Happy Móvil and Pepephone have joined; all of them voluntarily… but binding. However, this code of conduct, which enters into force on January 28, 2023is designed to ensure that a client can be quickly attended to for matters that have occurred during the last year and have been claimed, but have not yet reached trial.

Post-sanctions measures

What have the operators done in terms of preventing SIM swapping since those sanctions? From másmóvil They tell us that they have introduced specialized SIM change management groups that report directly to the Fraud Prevention Department, which provide 24/7 support and analyze the process and any pattern in it that deviates from the established pattern.

“There are another series of measures from the IT point of view, as well as process improvements in terms of reinforcing security, which due to their need for confidentiality to ensure their effectiveness, we prefer to keep internally and not give them advertising”, indicates the owner of Yoigo or Pepephone. “All this has resulted in an exhaustive control of the SIM change process in all our channels and to minimize any potentially fraudulent practice related to SIM swapping, considering the results obtained with the measures implemented to be optimal.”

The telcos have been wanting Amazon or Google to pay them for their infrastructure for years.  they've never been closer

From Orangean operator that is in the process of being bought by Másmóvil, thus becoming the first national telecom by number of mobile lines such as fiber and ADSL, although not by billing, they explain that they are actively working to prevent risks in terms of identity theft, and They add a specific measure, the “SIM Swap” solution, “which allows knowing the SIM update date, relevant information to determine the possible risk that their clients have been victims of a usurpation,” they say from the French teleco.

what do they say in telephone? “Movistar has adopted various measures to prevent fraud due to SIM swapping. We have provided our systems and applications with security controls that will prevent and/or detect misuse derived from fraudulent SIM swapping practices. In addition, we are improving all our processes and channels service so that the operations that our clients carry out through them are increasingly safer”. From xataka We also contacted Vodafone in order to obtain their statements, without having received a response.

Better tools than SMS or human double verification to request a duplicate

Banking environments, which tend to lead the way when it comes to security, saw the latest package of measures around identity verification crystallize with PSD2, the second-generation payment services directive that came into effect in 2019. Something similar would not be bad in the telecommunications sector: a strategy that serves to cancel or at least complicate the SIM much more swappingone of the great evils of our days, a macabre lottery that costs whoever gets it at least a few bad days, and perhaps many euros lost along the way, when not having to face legal processes for a long time to resolve loans not requested.

How to activate two-step verification on Google, Facebook, Twitter, Instagram, Microsoft and WhatsApp

In this sense, a practice alien to telecommunications but that greatly facilitates the SIM swapping is to request a photo of the DNI for any online transaction, including operations for the sale of second-hand products. In some cases, the seller’s ultimate intention is not to sell the product, but to obtain the ID of some unsuspecting person, for which it can even help to set a price that is too cheap for the product in question. Something that facilitates its quick sale and discourages the buyer from asking too many questions or being self-righteous.

Nor would it hurt, going back to telecommunications, relying on a more secure process than SMS as a method of identity authentication. Two-factor authentication tools like Google Authenticator (Microsoft, Apple, and many others have their own too) can be a great starting point. Something that is not as passive as receiving an SMS without further ado.

Other idea: create the option to add more than one headline to a line. Or a holder and an authorized person, as in bank accounts, and that double validation is necessary for something as delicate as a duplicate SIM. At least by answering the phone and giving information on the line that confirms that the authorized person is also who they say they are.

A practice, by the way, that would also serve to expedite certain procedures, such as a rate change or portability, for people who do not cope well in environments like this, such as some elderly people or disabled people who cannot leave home. Double human verification could also be carried out by the operator, by the personnel responsible for carrying it out in the store, although this could be complicated in many stores with only one employee per shift or where the partner is self-employed alone. It will be for ideas and possibilities.

In short, advances that make our mobile line more secure. Especially now that we have spent years seeing the havoc that a duplicate SIM can cause when it falls into the wrong hands.

Image: CC

Source link