Frans Labuschagne, UK and Ireland country manager at mobile app security and authentication provider Entersekt, explains how SIM-swap fraud works and what financial services providers ought to do about it.
For millions of us, the mobile phone or tablet is our primary means of authenticating online transactions, if not initiating the transactions themselves. It is no wonder then that fraud vectors targeting the mobile device have proliferated wildly in recent years.
The growing prevalence of SIM-swap attacks in the United Kingdom were once considered rare – consisting of isolated attacks aimed at a few unlucky high net worth individuals. The technique has since evolved, allowing scammers to perpetrate broader-based attacks. ActionFraud UK, part of the National Fraud Intelligence Bureau, put the public on high alert in a recent warning.
Legal claims against banks are mounting, but complicating things is the difficulty of pinpointing who, if anyone, was negligent in the lead-up to a successful attack means that banks, mobile network operators and consumers continue to argue in the press and social media over liability. These events play out in the public eye, and it damages trust in brands whose greatest asset is precisely that: trust.
The evolution of SIM-swap fraud
SIM-swap attacks also thwart banks’ attempts to coax customers into using digital banking channels instead of visiting relatively more expensive branches. Digital banking fraud is not new of course, and many consumers remain ambivalent about the safety of banking on their personal computers and mobile phones.
Ironically perhaps, SIM-swap fraud emerged as fraudsters adapted to banks’ efforts at protecting these channels. They worked to overcome the added security layer provided by SMS-based authentication, which commonly takes the form of a one-time password (OTP) sent to the phone and then typed into the primary banking channel, usually a browser.
Before banks started using SMS OTPs, scammers conducted man-in-the-middle attacks to gain access to consumers’ usernames and passwords. With these credentials, they gained the ability to fraudulently transfer funds out of their victim’s accounts. OTP-based authentication meant that they had to add a second phase to their attacks.
At first, they focused on intercepting the OTP through a counterfeit banking site or by using mobile trojans like Zeus, ZitMo, Citadel and Perkal, which leverage open access to SMS on mobile phones specifically to intercept OTPs. These remain the most popular approaches to stealing the OTP, but SIM swaps, where possible, make for a neat short cut.
In the diagram below, steps 1 to 5 describe a classic man-in-the-middle attack using a fake banking portal. Two other lines of attack appear in grey: OTP-stealing mobile malware and the SIM swap.
But how does a SIM-swap attack work, exactly? There are two main ways to swap a SIM card (or Subscriber Identification Module) fraudulently.
In a SIM clone, an attacker will use a card reader with a software toolkit to copy the SIM card onto a blank one. While this method is inexpensive and can take as little as 10 minutes, the fraudster will require access to the original SIM card and act fast. Once the fraudster has a copy of the SIM, using it is likely to disconnect the legitimate subscriber from the mobile network, giving the attacker free reign to authenticate fraudulent financial transactions on their own phone, among other things.
SIM splitting does not require access to a physical device or SIM card. Organized crime groups trade digital files packed with personal data and account details sourced in mass data breaches and malware attacks. The fraudster will buy this data and use it to open a parallel account in their chosen victim’s name. Other details in the file or gained separately through social engineering and searches online provide them with enough information to answer security questions at the relevant mobile network operator and register a new SIM. The victim’s SIM is deregistered in turn, and the answers to security questions changed in order to frustrate the victim’s attempts at rectifying the situation.
Taking an holistic approach
To counter the rise of illegal SIM-swaps effectively, banks and other organizations in the identity ecosystem must take an holistic view of their security. Such an approach includes mitigating against human error as well as addressing technical weaknesses.
One of the weakest links in the security chain as it pertains to SIM-swap fraud is the mobile network operator contact centre. It is there, after all, that most SIM-swaps are requested and authorized. Fraudsters dial the call centre armed with details of their prospective victims, either harvested in previous data breaches or gathered online; agents can be manipulated through social engineering into breaking with procedure or recruited into criminal organizations; interactive voice recognition systems may not always raise alerts when callers make repeated attempts at cracking challenge questions; and advances in voice cloning are seriously impacting the efficacy of voice fingerprinting security software.
Aside from instituting preventative procedures like delaying SIM activations for a set number of hours, requiring that the customer approve the request over a separate channel, and only carrying them out during work hours, call centres can also use behavioural analytics to flag anomalies in customer’s typical cross-channel behavior.
Creating an end-to-end security zone
The truth is that any digital service that relies on the mobile phone’s Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) to authenticate the subscriber is to some degree vulnerable to SIM-swap fraud. This is because identifying the subscriber’s device depends on the process employed by the mobile network operator to pair the MSISDN to a specific SIM card. This process, over which banks and other providers of sensitive digital functionality have no control, is open to exploitation by cybercriminals.
If financial services companies, insurance companies and healthcare providers are going to use the mobile phone for user authentication – and, indeed, it is fast becoming the preferred means of doing so worldwide – they must urgently reassess any SIM-based authentication solutions they have in place.
Consider implementing strong public-key cryptography on the mobile device, independently of the SIM card and native device security, and couple it with asymmetric encryption. This approach allows each mobile phone or tablet to be uniquely identified, transforming them into second factors of authentication. They can now be used with complete confidence to confirm a user’s identity when logging into an online banking portal or transacting from a mobile application. All two-way communication between device and service provider is encrypted from end to end.
It’s a single end-to-end security zone over which users can authenticate and digitally sign approvals of all sensitive transactions, whether digital banking, card-not-present purchases or call center interactions.
Staying ahead of cybercriminals is a race. As fast as vendors and service providers come up with ways to prevent one line of attack, another will pop up. The reputational, financial and legal risks posed by SIM-swap fraud demand that security professionals aggressively apply themselves to lowering their exposure to these attacks while preparing for future threats.
Three questions the financial services industry must answer in 2021
Xformative, a Mastercard Start Path recipient, shares what these questions mean for fintech partners and their innovations
This year, fintechs and institutions alike pushed the limit on how fast, innovative, and digitally-savvy they could be. Buzzwords like cloud and faster payments made headlines, but 2021 will be about refining best practices and putting them into action. Xformative believes that more industries should benefit from digital payments and that it’s not just about faster payments, but the option to offer multiple methods.
- Which industries are lagging in the digital payments space and why? The pandemic forced financial institutions and their partners to move digital transformation into a new phase of maturity. But this doesn’t mean every industry has transformed, there are still laggards. According to a survey of more than 1,400 American freelancers and contractors, conducted by Bill.com, more than half said they were still receiving their money in the form of a physical check. Checks still exist in spaces like Property and Casualty, though we did see some reassuring industry changes this year. The year ahead will require businesses to offer more payments flexibility outside of physical checks to meet the payment needs of their gig workers, freelancers, and contractors. Businesses will rely on technology partners to bring them up to speed and simplify the payments process.
- How can fintechs overcome the challenges of building in the cloud? Most businesses want to architect using a select cloud provider, or at least offer cloud-based services, to remain competitive in today’s fast-paced, disruptive landscape. There are assumptions that cloud architecture will inherently be less expensive to operate than legacy mainframe systems, but for many, these assumptions have turned upside down when developers fail to understand cloud cost optimization principles. As fintechs look to build in the cloud, they should ensure their technology is highly optimized, only leveraging real-time capabilities and transactions when required. Responsible fintechs should focus on balancing customer experience and economics with a mix of batch and real-time capabilities, constantly asking themselves, “is real-time the best choice?” Just because real-time can be offered doesn’t mean it should, and 2021 will be about drawing the line between utilization and optimization.
- Why is offering more payment choices important? Emerging faster payments are working in parallel, not as a replacement for other methods. People want options to be able to pay however they like, whether it’s with Zelle, Venmo, Apple Pay, or traditional methods like cash or card, and financial institutions need to be prepared to meet this demand. The card that consumers once kept in their wallet was a key component of the bank’s and/or program manager’s brand value, as well as potentially communicating the cardholder’s lifestyle and socioeconomic status. 2021 will reinforce the value of financial institutions having partnerships with fintechs who can help them evolve their brand value to include the broad scope of emerging payments.
It’s time fintechs and institutions partner to digitize payments and offer choices. 2021 is about building smart and partnering for capabilities that can open the door to new opportunities at a financial institution.
2020: The paradoxical year that has reshaped the future of motor insurance and related sectors
By Alan Inskip, Tempcover CEO & Founder
There’s no doubt that 2020 will be remembered as the year that changed the world. Whether that overall change was for the better or for the worse is a matter of perspective. One thing is for certain, 2020 has been the year of immense innovation and adaptability in the face of seemingly insurmountable adversity caused by the COVID-19 pandemic. In this piece, I’ll touch on some of the greatest challenges that could have had a potentially crippling effect on the economy but instead were overcome and ultimately paved the way for increased resilience and innovation.
Public transport shunned in favour of private vehicles, but driving patterns dramatically shift
With ten months of varying national and regional lockdown restrictions, passenger numbers on public transport have plummeted as many people continue to work remotely, and with most opting for the safety of travelling by private vehicle when they do need to get out and about. But because of restrictive travel measures, motorists have been using their vehicles far less frequently.
This posed a major challenge for traditional motor insurers that were not able to swiftly adapt to this change, with many coming under fire for failing to adjust annual premiums in line with new driver trends. As motorists became increasingly frustrated having to pay the same premiums or sometimes even more despite their vehicle usage being substantially minimised, the relatively new and still largely unfamiliar InsurTech industry was able to rise to the occasion.
In short, InsurTech involves the utilisation of the latest technological innovations such as data analysis, cloud computing, artificial intelligence and machine learning to enable insurance products to become more agile and flexible in line with modern consumer demand – all while remaining price competitive.
Being fully-digital and technology-driven, InsurTechs demonstrated the flexibility and agility that enabled them to adapt to the huge shift in customer demand and step change in how insurance is purchased and consumed. They did this by offering an entirely digital user experience in near real-time, with temporary policies tailored to the time actually needed – anywhere from 1 hour to 28 days.
In a time of furlough and economic uncertainty, this meant that many motorists who were not using their vehicles regularly did not have to take drastic action like declaring their vehicle SORN to achieve short-term financial relief. Nor did they have to risk driving uninsured or committing to an annual policy that they could ill afford at the time.
The rise of the digital dealership offering temporary insurance as part of the purchase journey
In the automotive retail market, dealerships were forced to make drastic changes to their operating models to comply with social distancing guidelines. Showroom footfall and subsequent sales initially plummeted. But in the face of this immense adversity, we witnessed the rise of the digital dealership, a concept that would have been unfathomable even just a year ago.
Cazoo was the first fully-digital platform to enter the vehicle dealership market in late 2019, and there has also been significant investment this year in new entrants such as Cinch and Carwow. Traditional dealerships such as Arnold Clark, Cargiant and Motorpoint have extended the digital aspects of their purchase journeys with services including home delivery and Click and Collect as alternative options to the full show room experience.
InsurTech has been instrumental in ensuring that car insurance supports this shift to digital, as several national blue-chip dealerships, with both physical and digital showroom floors, now offer temporary driveaway insurance policies that cover the vehicle for a fixed-term, usually between five to seven days.
The entirely online one-step user experience is the first of its kind in the traditionally outdated and inflexible driveaway insurance industry and it is dramatically simplifying the process of how insurance is purchased and consumed. Due to the flexibility and agility of the digital solution, each retailer has its own unique URL, where the customer can obtain a simple single-cost policy in just 90 seconds through an entirely digital process, which fits in line with the evolving consumer purchase trends.
This takes the stress out of searching for annual insurance on the spot and provides the driver with near instant cover so that they can immediately drive their new car while giving them the opportunity to thoroughly research the best annual policy to suit their needs. It’s also an ideal solution while the car is under its money-back warranty, as the driver does not have to commit to an annual policy on a car that might be returned. Another benefit is there’s no risk to any existing No Claims Discount, as it’s a separate and standalone policy.
Declining brand loyalty and a demand for a more personalised and convenient user experience
Insurance has an unenviable reputation for being inflexible and even unwilling to adapt to shifting consumer trends – making it confusing for most customers. Even pre-COVID, there was a clear trend that brand loyalty was in decline, as modern day consumers are no longer prepared to remain blindly loyal to any company for a long-term period. Instead, they will reward businesses that offer a simple and convenient user experience at best value. COVID accelerated this trend and many large insurers have struggled to adapt accordingly.
Conversely, this has enabled InsurTech to thrive, as the products and user journeys are developed with direct input from customers to ensure that they are receiving a straightforward and fit-for-purpose solution that best fits their needs and requirements. Just some examples of this are simplified terms and conditions, near-instant and paperless policy documentation via the web or dedicated app, and data-driven customer engagement initiatives that offer personalised discounts and communication via email and text messaging. The end result is a user experience that is easier, more convenient and better value for potential consumers in the market.
Cautiously optimistic (if somewhat uncertain) future
Even in the most stable periods, it’s a challenge to accurately predict future market trends. And with 2020 completely rewriting the rulebook on how business is conducted, it would be remiss of me to make outright predictions. One thing is for certain, the days of slow, inflexible and costly motor insurance are numbered. It is important to note that this doesn’t mean that InsurTech is gaining the upper hand at the expense of the traditional insurers in a bid to replace them.
Instead it is there to fill a gap and act as a complementary add-on to provide the best possible value to the consumer. Industry players that enter new collaborative partnerships will dramatically improve the consumer experience, leading to new business wins and return custom, which ultimately impacts positively on the bottom line. But those that fail to adapt will be left behind.
I believe that we can look forward to a futuristic economy in 2021, where ground breaking technology continues to advance at an unprecedented rate to adapt to rapidly evolving consumer lifestyles and subsequent purchasing habits. The real winner will be the consumer and that is in everyone’s best interest.
Leadership and management in a WFH world
By Carolyn Moore, SVP of People at Auth0
Although many of us will have settled into some kind of groove, having worked away from the office for the best part of a year, there are still numerous challenges that businesses and their workforces face in this new reality.
One particularly pertinent challenge is the one faced by people managers, especially those managing virtually for the first time. How can you ensure productivity from those in your charge when you don’t have direct oversight? How do you have those more difficult conversations over a video call? Some of your team may be handling remote working better than others, so how differently should you be handling them day-to-day?
For the majority of businesses these will be questions they’re still grappling with. When the pandemic hit, we happened to be in the fortunate position of being a remote-first business, where 60% of our nearly 700 employees were already working from home. As a result, the uptick to 100% was far less taxing for us. In seven years of working from home, we’ve learned a lot about managing teams remotely, a few of which may help leaders who are still navigating the transition.
Keeping communication channels open to build trust
Leading a remote team is wholly different to the usual, in-office set up. Strict hierarchy, and any notion of presenteeism do not translate well into the remote working environment. You have to accept that your employees’ domestic life will necessarily overlap with their professional one.
Leading a virtual team requires trust and a philosophy of work based on results, and managers need to learn to give them more freedom to do work on their own terms, as long as they produce the intended results.
Building trust is best managed with regular communication. Frequent written communications from leaders regarding strategy, objectives, and organisational learning is crucial. It’s natural when working remotely for team members to isolate themselves and get wrapped up in their own workload. Managers need to help their teams understand how their work impacts on the broader corporate objectives. At Auth0, we adopted and adapted a technique created by Google called ‘Objectives and Key Results’ (OKRs) to enable this.
Now more than ever, make it a priority to regularly check in with your employees and always be up to date and aware of what their needs are. One of the first initiatives we kicked off in an effort to do so was our Slack ‘Coronabot’. This is a tool we integrated with our main form of communication that allows employees to self-identify if their work capacity was impacted by the pandemic. Another way that we tried to better understand the concerns and needs of our employees was holding listening sessions. From these listening sessions, we’ve rolled out a couple of initiatives to combat burnout, including Slack-free weekends and no internal meeting Fridays.
Make flexibility a priority
As the worlds of home life and work life collide, the traditional ‘9 to 5’ workday needs to evolve. Leaders need to encourage their team to devise their own schedules and complete work at those times when they’re most productive.
If in doubt, ask your employees how best you can help and trust that their answers will be honest. In our own experience we saw a need for a different approach when it came to supporting our employees who are caregivers. With childcare much less accessible, caregivers are doing double duty. We rolled out a survey to these individuals to hear directly how best we could support them and used the feedback to plan future programmes and supports.
We have encouraged these employees to take advantage of flexible working hours, should they need to adjust due to the pandemic, and are using tools like Clockwise or Slack that allow our employees to set their working hours and snooze notifications when they’re offline. This alleviates the pressure to respond, and we’ve found employees are actually happier and more productive this way, especially if you have a team spread across several time zones.
Put your culture front and centre
When you work remotely interactions between management and staff become increasingly transactional. Leaders need to avoid making decrees without explaining the reasoning behind them, and the thought process that led to them. Failure to do so can create a secondary culture within the workforce composed of rumours and hearsay, which can lead to mistrust.
Leaders therefore need to firstly be clear in the reasoning for their decisions, but also explicit about the culture they want to create. Your corporate culture must be written down and communicated frequently so employees can use them to guide their everyday work.
This is particularly beneficial for multinational companies spread across geographies and timezones and encompassing multiple cultures. Whether your teams are based in Singapore or San Francisco, they all have a code of conduct to adhere to This is crucial for dealing with conflict in a productive way and creating teams that collaborate and respect each other.
Create virtual spaces to socialise
Leaders mustn’t forget the more pastoral benefits of the workspace. Spontaneous water-cooler chats may seem trite, but they’re an essential means of colleagues building rapport and learning about one another’s lives outside of work.
Socialising should not disappear when you transition to remote work. That would be bad for business, productivity, and employee wellbeing. Instead, I would encourage you to get creative and use different functionalities of the collaboration tools you’re probably using daily. We use Donut within our Slack channels, that randomly pairs three employees together and schedules them for a meeting. The intention is to bring employees together that otherwise may never interact and have them connect on topics beyond the workplace, such as life, family, etc. Donut has been a fantastic aid in keeping our distributed workforce feeling connected. We’ve also utilised the results of both our semi-annual engagement survey and more frequent pulse surveys to give us insight into how effective these engagement programmes have been and where we could tweak them to make them even better.
Don’t neglect security
Security should always be a top priority, especially especially as people are logging into more services remotely. Your business’ IT and Security teams should have set up multi-factor authentication as the minimum standard. As new apps are connected to better enable any of the measures described above, your IT teams and managers should also be educating their teams about the access third-party providers have to their data.
Managers have a crucial role to play as evangelists of security best practice. They should be monitoring whether their teams are completing their security awareness training and, if new apps or technology are being introduced, ensuring that the appropriate channels are open for them to ask questions. The pandemic has been a lucrative time for cybercriminals, who have taken advantage of some lapses in security best practice. Ensuring security is everyone’s business, but it starts from the top.
Building for the future
For many businesses the move to remote working will have been, and is continuing to be, a difficult transition. Admittedly, remote work is not a perfect substitute for personal communication. When circumstances allow, we would recommend managers meet with their teams in-person at least once a year. managers meet with their teams at least once a year.
However, even whilst the pandemic still hampers our ability to travel and meet face to face, it is still possible to have a distributed team that is productive, collaborative, and happy. If leaders take the time and make the effort to foster a culture built on trust, it will open up opportunities for you in the long-term, no matter what that future may be.
The Coming AI Revolution
By H.P Bunaes, CEO and founder of AI Powered Banking. There is a revolution in AI coming and it’s going...
Q&A with Joe Steele, Head of Workplace Technology at Starling Bank
In just under a year, many businesses had no choice but to go online and with digital transformation on the rise...
How financial services organisations are using data to underpin future growth
By John O’Keeffe, Director of Looker EMEA at Google Cloud In addition to the turmoil caused by the COVID-19 pandemic, a...
Three questions the financial services industry must answer in 2021
Xformative, a Mastercard Start Path recipient, shares what these questions mean for fintech partners and their innovations This year, fintechs...
A quarter of banking customers noted an improvement in customer service over lockdown, research shows
SAS research reveals that banks offered an improved customer experience during lockdown A quarter (27%) of banking customers noted an...
Is Digital Transformation the Key to Business Survival in the New World?
After a turbulent year, enterprises are returning to the prospect of a new world following an unprecedented pandemic. Around the...
Virtual communications: How to handle difficult workplace conversations online
Have potentially difficult conversation at work, like discussing a pay rise, explaining deadline delays or going through performance reviews are...
Black Friday payment data reveals rapid growth of ‘pay later’ methods like Klarna
Payment processor Mollie reveals the most popular payment methods for Black Friday Mollie, one of the fastest-growing payment service providers,...
Brand guidelines: the antidote to your business’ identity crisis
By Andrew Johnson, Creative Director and Co-Founder. How well do you really know your business? Do you know which derivative of your...
COVID-19 creates long and winding road for startups seeking investment
By Jayne Chan, Head of StartmeupHK, Invest Hong Kong Countless technology and other companies describe themselves as innovators, disruptors or...