Frans Labuschagne, UK and Ireland country manager at mobile app security and authentication provider Entersekt, explains how SIM-swap fraud works and what financial services providers ought to do about it.
For millions of us, the mobile phone or tablet is our primary means of authenticating online transactions, if not initiating the transactions themselves. It is no wonder then that fraud vectors targeting the mobile device have proliferated wildly in recent years.
The growing prevalence of SIM-swap attacks in the United Kingdom were once considered rare – consisting of isolated attacks aimed at a few unlucky high net worth individuals. The technique has since evolved, allowing scammers to perpetrate broader-based attacks. ActionFraud UK, part of the National Fraud Intelligence Bureau, put the public on high alert in a recent warning.
Legal claims against banks are mounting, but complicating things is the difficulty of pinpointing who, if anyone, was negligent in the lead-up to a successful attack means that banks, mobile network operators and consumers continue to argue in the press and social media over liability. These events play out in the public eye, and it damages trust in brands whose greatest asset is precisely that: trust.
The evolution of SIM-swap fraud
SIM-swap attacks also thwart banks’ attempts to coax customers into using digital banking channels instead of visiting relatively more expensive branches. Digital banking fraud is not new of course, and many consumers remain ambivalent about the safety of banking on their personal computers and mobile phones.
Ironically perhaps, SIM-swap fraud emerged as fraudsters adapted to banks’ efforts at protecting these channels. They worked to overcome the added security layer provided by SMS-based authentication, which commonly takes the form of a one-time password (OTP) sent to the phone and then typed into the primary banking channel, usually a browser.
Before banks started using SMS OTPs, scammers conducted man-in-the-middle attacks to gain access to consumers’ usernames and passwords. With these credentials, they gained the ability to fraudulently transfer funds out of their victim’s accounts. OTP-based authentication meant that they had to add a second phase to their attacks.
At first, they focused on intercepting the OTP through a counterfeit banking site or by using mobile trojans like Zeus, ZitMo, Citadel and Perkal, which leverage open access to SMS on mobile phones specifically to intercept OTPs. These remain the most popular approaches to stealing the OTP, but SIM swaps, where possible, make for a neat short cut.
In the diagram below, steps 1 to 5 describe a classic man-in-the-middle attack using a fake banking portal. Two other lines of attack appear in grey: OTP-stealing mobile malware and the SIM swap.
But how does a SIM-swap attack work, exactly? There are two main ways to swap a SIM card (or Subscriber Identification Module) fraudulently.
In a SIM clone, an attacker will use a card reader with a software toolkit to copy the SIM card onto a blank one. While this method is inexpensive and can take as little as 10 minutes, the fraudster will require access to the original SIM card and act fast. Once the fraudster has a copy of the SIM, using it is likely to disconnect the legitimate subscriber from the mobile network, giving the attacker free reign to authenticate fraudulent financial transactions on their own phone, among other things.
SIM splitting does not require access to a physical device or SIM card. Organized crime groups trade digital files packed with personal data and account details sourced in mass data breaches and malware attacks. The fraudster will buy this data and use it to open a parallel account in their chosen victim’s name. Other details in the file or gained separately through social engineering and searches online provide them with enough information to answer security questions at the relevant mobile network operator and register a new SIM. The victim’s SIM is deregistered in turn, and the answers to security questions changed in order to frustrate the victim’s attempts at rectifying the situation.
Taking an holistic approach
To counter the rise of illegal SIM-swaps effectively, banks and other organizations in the identity ecosystem must take an holistic view of their security. Such an approach includes mitigating against human error as well as addressing technical weaknesses.
One of the weakest links in the security chain as it pertains to SIM-swap fraud is the mobile network operator contact centre. It is there, after all, that most SIM-swaps are requested and authorized. Fraudsters dial the call centre armed with details of their prospective victims, either harvested in previous data breaches or gathered online; agents can be manipulated through social engineering into breaking with procedure or recruited into criminal organizations; interactive voice recognition systems may not always raise alerts when callers make repeated attempts at cracking challenge questions; and advances in voice cloning are seriously impacting the efficacy of voice fingerprinting security software.
Aside from instituting preventative procedures like delaying SIM activations for a set number of hours, requiring that the customer approve the request over a separate channel, and only carrying them out during work hours, call centres can also use behavioural analytics to flag anomalies in customer’s typical cross-channel behavior.
Creating an end-to-end security zone
The truth is that any digital service that relies on the mobile phone’s Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) to authenticate the subscriber is to some degree vulnerable to SIM-swap fraud. This is because identifying the subscriber’s device depends on the process employed by the mobile network operator to pair the MSISDN to a specific SIM card. This process, over which banks and other providers of sensitive digital functionality have no control, is open to exploitation by cybercriminals.
If financial services companies, insurance companies and healthcare providers are going to use the mobile phone for user authentication – and, indeed, it is fast becoming the preferred means of doing so worldwide – they must urgently reassess any SIM-based authentication solutions they have in place.
Consider implementing strong public-key cryptography on the mobile device, independently of the SIM card and native device security, and couple it with asymmetric encryption. This approach allows each mobile phone or tablet to be uniquely identified, transforming them into second factors of authentication. They can now be used with complete confidence to confirm a user’s identity when logging into an online banking portal or transacting from a mobile application. All two-way communication between device and service provider is encrypted from end to end.
It’s a single end-to-end security zone over which users can authenticate and digitally sign approvals of all sensitive transactions, whether digital banking, card-not-present purchases or call center interactions.
Staying ahead of cybercriminals is a race. As fast as vendors and service providers come up with ways to prevent one line of attack, another will pop up. The reputational, financial and legal risks posed by SIM-swap fraud demand that security professionals aggressively apply themselves to lowering their exposure to these attacks while preparing for future threats.
Bringing finance into the 21st Century – How COVID and collaboration are catalysing digital transformation
By Keith Phillips, CEO of TISATech
If just six or seven months ago someone had told you that in a matter of weeks people around the world would be locked down in their homes, trying to navigate modern work systems from a prehistoric laptop, bickering with family over who’s hogging the Wi-Fi, migrating online to manage all financial services digitally, all while washing their hands every five minutes in fear of a global pandemic… You’d think they had lost their mind. But this very quickly became the reality for huge swathes of the world and we’re about to go through that all over again as the UK government has asked that those who can work from home should.
Unsurprisingly, statistics show that lockdown restrictions introduced by the UK government in March, led to a sharp increase in people adopting digital services. Banks encouraged its customers to log onto online banking, as they limited (and eventually halted) services at branches. This forced many customers online as their primary means of managing personal finances for the first time.
If anyone had doubts before, the Covid-19 pandemic proved to us the importance of well-functioning, effective digital financial services platforms, for both financial institutions and the people using them.
But with this sudden mass online migration, it’s become clear that traditional banks have struggled to keep up with servicing clients virtually. Legacy banking systems have always stilted the digitisation of financial services, but the pandemic thrust this issue into the limelight. Fintech firms, which focus intently on digital and mobile services, knew it was only a matter of time before financial institutions’ reliance was to increase at an unprecedented rate.
For years, fintechs have been called upon by traditional players to find solutions to problems borne from those clunky legacy systems, like manual completion of account changes and money transfers. Now it is the demand for these services to be online coupled with the need for financial services firms to cut costs, since Covid-19 hit the economy.
Covid-19 has catalysed the urgent need to bring digital transformation to a wider pool of financial services businesses. Customers now have even higher expectations of larger institutions, demanding that they keep up with what the younger and more nimble challengers have to offer. Industry leaders realise that they must transform their businesses as soon as possible, by streamlining and digitising operations to compete and, ultimately, improve services for their customers.
The race for digital acceleration began far before the recent pandemic – in fact, following the 2008 financial crisis is likely more accurate. Since the credit crunch, there has been a wave of new fintech firms, full of young, bright techies looking to be the next big thing. Fintechs have marketed themselves hard at big conferences and expos or by hosting ‘hackathons’, trying to prove themselves as the fastest, most innovative or the most vital to the future of the industry.
However, even during this period where accelerating innovation in online financial services and legacy systems is crucial, the conditions brought about by the pandemic have not been conducive to this much-needed transformation.
The second issue, which again was clear far before the pandemic, is that fact that no matter how nimble or clever the fintechs’ solutions are, it is still hard to implement the solutions seamlessly, as the sector is highly fragmented with banks using extremely outdated systems populated with vast amounts of data.
With the significance of the pandemic becoming more and more clear, and the need for better digital products and services becoming more crucial to financial services firms and consumers by the day, the industry has finally come together to provide a solution.
The TISAtech project was launched last month by The Investing and Saving Alliance (TISA), a membership organisation in the UK with more than 200 leading financial institutions as members. TISA asked The Disruption House, a specialist benchmarking and data analytics business, to create a clearing house platform for the industry to help it more effectively integrate new financial technology. The project aims to enhance products and services while reducing friction and ultimately lowering costs which are passed on to the customers.
With nearly 4,000 fintechs from around the world participating, it will be the world’s largest marketplace dedicated to Open Finance, Savings, and Investment.
Not only will it provide a ‘matchmaking’ service between financial institutions an fintechs, it will also host a sandbox environment. Financial institutions can pose real problems with real data and the fintechs are given the space to race to the bottom – to find the most constructive, cost-effective solution.
Yes, there are other marketplaces, but they all seem to struggle to achieve a return on investment. There is a genuine need for the ‘Trivago’ of financial technology – a one stop shop, run by an independent body, which can do more than just matchmaking. It needs to go above and beyond to encompass the sandboxing, assessments, profiling of fintechs to separate the wheat from the chaff, and provide a space for true collaboration.
The pandemic has taught us that we are more effective if we work together. We need mass support and collaboration to find solutions to problems. Businesses and industries are no different. If fintechs and financial institutions can work together, there is a real chance that we can start to lessen the economic hit for many businesses and consumers by lowering costs and streamlining better services and products. And even if it is just making it that little bit easier to manage personal finances from home when fighting with your children for the Wi-Fi, we are making a difference.
What to Know Before You Expand Across Borders
By Sean King, Director of International Tax at McGuire Sponsel
The American retail giant, Target Corporation, has a market cap of $64 billion and access to seemingly limitless resources and advisors. So, when the company engaged in its first global expansion, how could anything possibly go wrong?
Less than two years after opening its first Canadian store in 2013, Target shut down all133 Canadian locations and terminated more than 17,000 Canadian employees.
Expansion of an operation to another country can create unique challenges that may impact the financial viability of the entire enterprise. If Target Corporation can colossally fail in its expansion to Canada, how might Mom ‘N’ Pop LLC fare when expanding into Switzerland, Singapore, or Australia?
Successful global expansion requires an understanding of multilayered taxes, regulatory hurdles, employment laws, and cultural nuances. Fortunately, with the right guidance, global expansion can be both possible and profitable for businesses of any size.
Any company with global ambitions must first consider whether the company’s expansion outside of the U.S. will give rise to a taxable presence in the local country. In the cross-border context, a “permanent establishment” can be created in a local country when the enterprise reaches a certain level of activity, which is problematic because it exposes the U.S. multinational to taxation in the foreign country.
Foreign entity incorporation
To avoid permanent establishment risk, many U.S. multinationals choose to operate overseas through a formal corporate subsidiary, which reduces the company’s foreign income tax exposure, though it may result in an additional level of foreign income tax on the subsidiary’s earnings. In most jurisdictions, multinationals can operate their business in the foreign country as a branch, a pass through (e.g., partnership,) or a corporation.
As a branch, the U.S. multinational does not create a subsidiary in the foreign country. It holds assets, employees, and bank accounts under its own name. With a pass through, the U.S. multinational creates a separate entity in the foreign country that is treated as a partnership under the tax law of the foreign country but not necessarily as a partnership under U.S. tax law.
U.S. multinationals can also create corporate subsidiaries in the foreign country treated as corporations under the tax law of both the foreign country and the U.S., with possibly two levels of income taxation in the foreign country plus U.S. income taxation of earnings repatriated to the U.S. as dividends.
Under U.S. entity classification rules, certain types of entities can “check the box” to elect their classification to be taxed as a corporation with two levels of tax, a partnership with pass-through taxation, or even be disregarded for U.S. federal income tax purposes. The check the box election allows U.S. multinationals to engage in more effective global tax planning.
Toll charges, transfer pricing and treaties
When establishing a foreign corporate subsidiary, the U.S. multinational will likely need to transfer certain assets to the new entity to make it fully operational. However, in many cases, the U.S. multinational cannot perform the transfer without recognizing taxable income. In the international context, the IRS imposes certain outbound “toll charges” on the transfer of appreciated property to a foreign entity, which are usually provided for in IRC Section 367 and subject to various exceptions and nuances.
Instead, the U.S. multinational may prefer to license intellectual property to the foreign subsidiary for a fee rather than transfer the property outright. However, licensing requires the company and foreign subsidiary to adhere to transfer pricing rules, as dictated by IRC Section 482. The U.S. multinational and the foreign subsidiary must interact in an arms-length manner regarding pricing and economic terms. Furthermore, any such arrangement may attract withholding taxes when royalties are paid across a border.
Are you GILTI?
Certain U.S. multinationals opt to focus on deferring the income recognition at the U.S. level. In doing so, they simply leave overseas profits overseas and delay repatriating any of the earnings to the U.S.
Despite the general merits of this form of planning, U.S. multinationals will be subject to certain IRS anti-deferral mechanisms, commonly known as “Subpart F” and GILTI. Essentially, U.S. shareholders of certain foreign corporations are forced to recognize their pro rata share of certain types of income generated by these foreign entities at the time the income is earned instead of waiting until the foreign entity formally repatriates the income to the U.S.
The end goal
Essentially, all effective international tax planning boils down to treasury management. Effective and early tax planning can properly allow a company to better achieve its initial goal: profitability.
If global expansion is on the horizon for your company, consult a licensed professional for advice concerning your specific situation.
Pandemic risks eclipse treasury priorities as businesses diversify investments to mitigate impact
The Covid-19 pandemic has shunted aside existing challenges to sit atop treasurers’ priority lists, according to “The resilient treasury: Optimising strategy in the face of covid-19”, a survey run by the Economist Intelligence Unit (EIU) and sponsored by Deutsche Bank.
The results show that treasurers are looking to diversify their investments in a bid to mitigate the pandemic impacts, including heightened liquidity, foreign-exchange and interest-rate risk. As many as 55% plan to increase investments in long-term instruments, with 48% increasing investments in bank deposits, another 48% in local investment products, and 47% in money-market funds.
“The Covid-19 pandemic has drastically altered business plans in 2020. It has placed a certain level of strain on treasury processes, but the challenge it presents has been managed by traditional treasury skills. It is clear that pandemic risk will be on the treasury checklist for years to come, but it is one of many risks the department faces and will continue to manage,” says Melanie Noronha, the EIU editor of the report.
Despite Covid-19 looming large, other challenges wait in the wings. Notably, the replacement of the London Interbank Offered Rate was identified by 38% of respondents as the main challenge of their function.
Technology, meanwhile, continues to be a pressing issue, with treasury teams becoming increasingly reliant on IT solutions. Here, data quality is rising up the list of concerns. Already highlighted as very or somewhat concerning in 2019 by 69% of respondents, the figure rose to 78% in 2020. Acquiring the necessary skill sets to realise the full benefits of this data and technology is also a continuing priority – with some progress registered from last year. In 2020, 30% of respondents say they have all the skills they need to manage technological change, up from 22% in 2018.
“Treasury’s focus on technology is not only helping teams operate more efficiently in a remote-working environment, it has long played – and continues to play – a key role in realising their long-term priorities,” notes Ole Matthiessen, Head of Cash Management, Corporate Bank, Deutsche Bank. The survey shows that
Release 1 | 2 managing relationships with banks and suppliers (highlighted by 32% of respondents) and collaborating with other functions of the business (also 32%) remain top of the agenda – and seamless digital systems will help give treasurers the bandwidth and insight to be more effective partners for both internal and external stakeholders.
Based on a global survey of 300 treasury executives, conducted between April and May, the survey explores stakeholders’ attitudes among corporate treasurers towards the drivers of strategic change in the treasury function – from the pandemic through to regulation and technology – and their priorities for the next five years.
Mobile engagement will prove vital for enhanced customer experience in the world of finance
By Nick Millward, VP Europe at mGage With the world becoming more digital – as smartphones play an intrinsic part...
How are investors traversing the UK’s transition out of lockdown?
By Giles Coghlan, Chief Currency Analyst, HYCM Just when we thought we had overcome the initial health challenges posed by COVID-19, the...
Why are there so few female CEOs and what does it take to succeed in a male dominated industry?
By Gayle Carpenter, Director of creative agency, Sparkloop When you think about inspirational female leaders or role models, names such as Malala...
Sustainable technology must be prioritised over enhancement: Re-focusing a wasteful tech culture
By Jo Barnard, Founder of Morrama The UN recently reported that as a global population we are throwing away £50bn...
How has the online trading landscape changed in 2020?
By Dáire Ferguson, CEO, AvaTrade This year has been all about change following the outbreak of coronavirus and the subsequent...
Hatton Gardens 5 top tips for investing in Diamonds
By Ben Stinson, Head of eCommerce at Diamonds Factory Investing in diamonds can be extremely rewarding, but only if you...
AI reduces procurement fraud, error and abuse
By Hans Bonde, Senior Industry Consultant, SAS In recent years, there has been an increasing focus on financial crime in...
Bringing finance into the 21st Century – How COVID and collaboration are catalysing digital transformation
By Keith Phillips, CEO of TISATech If just six or seven months ago someone had told you that in a...
Why hybrid working will shift the economy, not ruin it
By Pete Braithwaite, COO at B2B self-service portal KIT Online, Today explained that despite the major drive to get people...
What to Know Before You Expand Across Borders
By Sean King, Director of International Tax at McGuire Sponsel The American retail giant, Target Corporation, has a market cap...