A cybercriminal gets hold of your number, name and other identity details, then he/she initiates a request with the telco for porting the number to a new SIM. Your telecom service provider will initiate some checks to confirm the identity of the person making such a request, and usually grant it. This is a helpful service otherwise, when a subscriber has lost a device or wants to shift to another service provider. After that, your cell phone will lose network, and all your calls, text messages and other communications will move to the new SIM, which is now with the attacker. He/she now has access to your card details, social media accounts, One Time Passwords (OTPs), emails, and other sensitive and personal data synced with the number.
The attacker becomes you and does transactions impersonating you, emptying your bank accounts, accessing your email, posting messages as you on social media accounts and causing you financial and reputational losses. In the UK alone, average losses from SIM swap frauds have been close to 3 million pounds annually! Worldwide, there is a wave of these attacks targeting cryptocurrency users, in which their crypto wallets and accounts are being hijacked and taken over, causing huge losses amounting to millions of dollars in individual cases.
Due to the rapidly evolving and increasingly complex nature of technology, few people understand how to address the risks and dangers that come with technology. One cannot expect an average user to be capable or competent enough to prevent SIM swap attacks as there is little the user can do and there are very few users who understand, or are even aware of, the vulnerabilities.
THE LIABILITY OF TELECOM OPERATORS AND BANKS
Just as product liability places liability on manufacturers for defects because products are too complex for consumers to adequately understand the threat of defects, cybersecurity negligence must place the liability on telecom operators for SIM swaps because cybersecurity has become too complex for consumers. Particular to SIM swap, the victims can do very little to avoid these attacks without the assistance of telecom operators. Thus, the cost of avoiding SIM swap attacks, if placed on victims, is likely to cause a sharp reduction in the use of digital accounts and assets that have value.
One of the ways by which the user or the public can limit potential attacks and harm is by aggressively using other authentication forms and avoiding SMS-based two-factor authentication. However, such steps are not always possible because many accounts only provide SMS-based two-factor authentication, and some require it. Thus, unlike cases of phishing, where the likelihood of potential attack and harm can be reduced by the public/user’s carefulness, SIM swap attacks are almost impossible to avoid by user/public vigilance, and the harm could only be diminished by avoiding beneficial activity altogether.
As a further distinction with phishing scams, which have been heavily publicised, SIM swap victims suffer from a lack of adequate knowledge. These victims lack the knowledge of their vulnerability because SIM swap attacks as well as the know-how to adequately address the vulnerability are still underpublicised.
SIM swap attacks are unauthorised transactions and the primary facilitator for such attacks is the availability of customer information which is leaked due to data breaches at banks and telecom platforms. Banks are required to exercise strict measures in verifying the identities of their customers and running background checks on their employees. Banks can identify fraud risk and also devise mechanisms to protect customers.
WHAT THE RBI SAYS
The Reserve Bank of India issued a master circular dated 6 July 2017, protecting customers in unauthorised electronic banking transactions. The circular states that a customer has zero liability in the following events:
“(i) Contributory fraud/negligence/deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer)
(ii) Third party breach whether deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.”
The Reserve Bank of India vide its notification dated 22nd June 2020 and titled ‘Increasing Instances of Payment Frauds—Enhancing Public Awareness Campaigns Through Multiple Channels’ acknowledged that despite initiatives, the incidence of frauds continue to bedevil digital users, often using the same modus operandi users were cautioned about, such as luring them to disclose vital payment information, swapping SIM cards, opening links received in messages and mails, etc, and therefore, advised all payment systems operators and participants—banks and non-banks—to continue and reinforce efforts to spread awareness about digital safety to educate their users on safe and secure use of digital payments.
THE TECHNOLOGY
The SIM swap fraud essentially uses social engineering to circumvent the technological safety barrier of two-factor authentication through SMS. There are multiple technological solutions to counter this menace, which include behavioural heuristics, multi-factor authentication (other than SMS), biometrics, including voice fingerprinting, security pins and API-based solutions which require real-time coordination between telcos and financial institutions.
Behavioural heuristics are generated by using machine learning to generate baseline patterns peculiar to a user, like usual times and places of operating, device particulars, amounts transacted, etc. Any anomaly or serious deviation from the pattern established is flagged as suspicious and subjected to enhanced checks, thereby reducing the possibility of crime.
Multi-factor authentication other than SMS includes services and apps like Google Authenticator, hardware-based encrypted tokens and locking to a particular device ID. These provide added layers of security against SIM swaps and other account takeover threats.
Biometrics including voice fingerprinting have been used to identify customers with pre-stored biometric parameters, including original voice samples taken during KYC or other authenticated interactions.
Security pins can be provided to the consumer at the time of onboarding, which can limit instances of account takeover through SIM swap.
Application Programming Interface or API-based solutions have been found to be highly effective in countering SIM swap frauds in regions like Africa, where mobile service operators/telcos have tied up with financial institutions to provide these solutions. They are disarmingly simple: Before every transaction, an automated software-based query checks with the telco if there is any recent SIM portability or if the SIM has been put into a new device. If so, SMS-based authentication is automatically blocked for a period. This simple measure has been found to be 100% effective in stopping SIM swap frauds. This would be an effective and cheap solution for India too, and telcos and financial institutions should collaborate to protect consumers from the SIM swap menace.
CONCLUSION
SIM-splitting, SIMjacking, SIM swap and port-out scamming are different names for the same social engineering fraud technique which results in passing the control of the victim’s phone account via their SIM card to one controlled by the criminal.
Although the RBI has issued directions limiting the liability of the consumer in the event of losses due to frauds, this particular modus of account hijacking through taking over control of the SIM card/s of the victim evades the protection of the directions.
Enhanced technological measures like behavioural heuristics, non-SMS-based authentications, biometrics and API-based solutions are the need of the hour. If the RBI does not make it mandatory to implement such enhanced counter-checks soon, the government or judiciary should pass suitable directions immediately to prevent harm to unsuspecting and innocent customers who may fall prey to these smart attacks without any fault or contributory negligence of their own.
Brijesh Singh is an author and IG, Maharashtra. Khushbu Jain is an advocate practising before the Supreme Court and a founding partner of law firm Ark Legal. The views expressed are personal.
SIM swap attacks are unauthorised transactions and the primary facilitator for such attacks is the availability of customer information which is leaked due to data breaches at banks and telecom platforms.