In the past several years, consumers have been asked to enable SMS-based authentication on various platforms like bank accounts, mobile wireless providers, medical portals, and social media accounts, among others, to combat security threats. This two-factor authentication method relies on the concept that only the legitimate owner of a mobile number can receive and use the SMS codes to confirm access to their existing accounts. However, scammers have found a way to foil SMS-reliant authentication processes through SIM swapping.
Most telecommunications companies still use traditional phone-number, SMS codes or knowledge-based authentication as their primary means of customer identification. Many providers still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. These authentication procedures are ineffective in proving the true identity of the person.
SIM swap scams – also known as SIM jacking or port-out scamming – occur when cybercriminals succeed in tricking carrier service providers into porting out or transferring someone else’s mobile phone number into the fraudsters’ SIM cards. SIM swapping relies on weak SMS-based authentication. The fraudster just needs to have access to the target’s mobile phone number and enough personal data of their victim to convince customer service that they are the account owner. Once a SIM-swapper has hijacked a cell phone number, they now can gain easy access to the target’s banking and investment accounts.
Mobile carriers must improve their customer authentication processes and improve security measures to catch scammers. To curtail SIM swap scams and offer their customer enhanced assurance, the carriers must adapt modern identity authentication solutions like biometric multi-factor authentication (MFA) that offer stronger certainty of the true customer’s identity.
SIM Swap is on the Rise
SIM swap scam cases have risen in recent years and have even targeted prominent personalities.
In 2018, former Apple engineer Rob Ross lost almost $1 million because of a SIM swapping scam that allowed hackers to switch his mobile phone number to theirs. With control of his number, the perpetrators digitally became Rob Ross, allowing them access to his cryptocurrency account, where they quickly requested a password change, and stole his funds.
In the following year, Twitter CEO and co-founder, Jack Dorsey, was victimized by the same type of fraud. The perpetrators used his mobile number to take over his social media account and tweet inappropriate content.
Both incidents stemmed from the limited oversight of the mobile service operator.
A recent 2020 study from Princeton University of five US pre-paid mobile carriers found that four-fifths of SIM Swap attempts made to their services were successful. A key finding of the study identified that callers only needed to successfully respond to one challenge to authenticate, even if they had failed numerous prior challenges.
Using Biometric Multi-Factor Authentication to an Advantage
The 2020 study from Princeton University that detected flaws in wireless carriers’ identity authentication methods for SIM swaps recommended that mobile operators implement a strong authentication factor such as MFA. The Federal Trade Commission has also recommended using MFA to curtail SIM swap scams.
MFA utilizes a combination of authentication factors, including, but not limited, to the following:
- Knowledge factors – Something the account owner knows, such as passwords.
- Possession factors – Something the account owner has, such as codes and security keys.
- Inherence factors – Something unique to the account owner, such as fingerprints, facial features, or retina and iris patterns.
Using stronger authentication factors can help telecommunications companies identify scammers. Rather than simply assuming that a phone number identifies the real account owner, carriers can use inherence or biometric factors that are difficult to impersonate, in order to provide true identity authentication. These factors can act as a significant barrier to fraudulent SIM Swap or password reset attempts.
Mobile Facial Biometrics for Identity Authentication
Telecommunication enterprises should adopt modern verification methods like facial biometric multifactor authentication (MFA) that offer stronger certainty of the customer’s “true” identity.
Biometric authentication solutions can scan facial features and match them to ID photos. Some can also confirm the authenticity of the credential by comparing the document’s data or features with credible reference data sources like government registries to prevent fraudsters from cheating by using fake identity documents.
The ability to easily deliver and process facial biometric authentication to widespread mobile devices allows for seamless user experiences that can be performed anywhere, with no in-person visits. Mobile biometric authentication also meets recent demands in light of the current pandemic for ‘touchless’ identity authentication.
Moreover, modern biometric authentication technology integrates additional security features like liveness confirmation and anti-spoofing detection to ensure that a real person is present at the time of authentication.
With easy access to social media images and print image doctoring, fraudsters can spoof a facial recognition system. To plug this security gap, identity verification and biometric multi-factor authentication solutions often require the user perform an active liveness detection test such as a turn of the head, a blink or smile, to verify the presence of a real human being.
More sophisticated identity authentication solutions often include additional passive liveness and anti-spoofing attempts that work in the background, so fraudsters are not aware the liveness detection is occurring.
Conclusion
Fraudulent individuals perform SIM swapping scams by using stolen data to deceive cellular service providers in transferring someone else’s mobile number to their SIM card.
These perpetrators are cunning in circumventing weak security measures to carry out illicit activities in the name of the real identity owner.
Hence, telecommunication companies must deploy more robust security measures including biometric multi-factor authentication before confirming a port-out request.
Utilizing facial biometrics in MFA enables carrier service providers to determine fraudulent individuals and prevent them from executing SIM swap scams.
Verified™ by authID can stop fraudulent account takeover and identity spoofing with strong facial biometric authentication. Verified offers greater assurance than traditional identification methods and ensures accuracy in a selfie’s biometric matching to a trusted reference template. Verified harnesses mobile technology, active liveness tests, additional, passive anti-spoofing liveness confirmation, and NIST-certified biometric matching of a selfie to verified credentials to streamline authentication processes and detect fraudulent individuals.
Schedule a Demo with authID
authID.ai is a provider of an Identity as a Service (IDaaS) platform that delivers a suite of secure, mobile, biometric identity solutions, available to any vertical, anywhere. With authID’s products, telecommunication enterprises can identify fraudulent individuals and curb SIM swapping scams. Contact authID today at 1 (516) 778-5639 or click here to schedule a demo.