Consumers may not realize it, but their mobile phone is a gateway for criminals to take over their bank accounts. In a fast-growing scam known as SIM swapping, criminals transfer the phone number associated with a consumer’s mobile phone to the SIM card embedded in a mobile phone in their possession. They then use that device as a credential to take over the consumer’s bank accounts.
A SIM card, or subscriber identity module, is a removable computer chip on which mobile carriers store data such as a mobile phone number and address book.
“Mobile phones are becoming a hub for all kinds of consumer transactions, and even banks are moving consumers toward them for sending one-time passwords. So it’s not surprising that criminals are transitioning fraud to mobile devices,” says Al Pascual, senior vice president, research director, and head of fraud and security research for Pleasanton, Calif-based Javelin Strategy & Research.
Account-takeover activity via mobile devices nearly doubled year-over-year between 2015 and 2016, Pascual adds.
To thwart SIM swaps, Payfone, a New York City-based provider of mobile and digital identity authentication technology, has developed an application that detects when a mobile phone number has been transferred from a SIM card on one mobile device to another. The application also notifies a consumer’s bank when a SIM swap occurs. Payfone announced this week it has secured a patent for the technology.
In a SIM swap, a criminal purchases consumer data on the black market to identify potential victims. After identifying consumers with mobile phones, the criminal contacts the victim’s carrier claiming to be a customer whose phone has been lost or stolen. He requests the phone number be ported to a new mobile phone connected to the carrier’s network.
After the criminal answers a couple of basic security questions—the answers to which are usually contained in data the criminal has—the mobile carrier transfers the victim’s phone number to the new device’s SIM card. The carrier then deletes the phone number from the SIM card in the victim’s phone, thereby cutting off the victim’s phone service.
“Mobile carriers are a weak link, because they don’t have particularly strong customer authentication,” Pascual says. “Verizon just this year stopped accepting Social Security numbers as a form of authentication.”
Once a SIM swap is complete, criminals can contact the victim’s bank and request a temporary account password or PIN be sent via text message. Because the victim’s phone is no longer receiving calls or texts, the message goes directly to the criminal’s phone without the victim’s knowledge.
Since the mobile number on the device used by the criminal matches the one the bank has on file, the criminal passes the first authentication hurdle. Answering a couple of additional questions gets the criminal through the security gate. Again, the answers are often contained in data the criminal has compiled on the consumer, fraud experts say.
Next, the criminal uses the temporary password or PIN to reset account passwords and assume control of the account. The criminal can then transfer money out of the account, order new credit or debit cards, or use account information to steal the victim’s identity.
Payfone monitors activity on mobile carriers’ networks to identify requests to port a phone number to a new device, and for new bank passwords. Payfone also works with all major mobile carriers in the United States and six of the top 10 banks. Investors in the company include American Express Ventures, Verizon Ventures, and bank-owned risk-management company Early Warning Services LLC.
Earlier this month Payfone struck a deal with Early Warning to provide mobile-authentication technologies for Early Warning’s Zelle person-to-person payments network. Zelle officially began rolling out this week.
“Some of our investors open the door to information we can use to detect SIM swapping,” says Rodger Desai, chief executive at Payfone.
Still, when it comes to combatting SIM swapping, Payfone’s technology is not the only game in town, say Javelin’s Pascual and Julie Conroy, research director for the Boston-based research firm Aite Group. Many competitors in the market, such as London-based ValidSoft, cut their teeth in the United Kingdom and Europe, where SIM swapping is more prevalent, according to Pascual.
“It will be interesting to see what kind of competitive advantage Payfone’s patent provides,” Conroy says.
She cautions that relying on one fraud-prevention technology can be risky. “There needs to be multiple layers of technology to effectively fight fraud,” she says.