Gadget

Banks must target SIM fraud

With SIM swap raids being one of the biggest forms of online fraud, financial institutions must find ways to better protect their client’s details, says ZANE RENOU.

Financial services companies should look for solutions that allow them to control the entire mobile transaction lifecycle if they want to beat fraudsters who exploit mobile security gaps to defraud bank account holders.

That’s the word from Zane Renou, Chief Commercial Officer at Cellfind, who says that banks should take a proactive approach to securing the vulnerabilities in SIM cards and devices that create opportunities for impostors to defraud customers.

Says Renou: “Internet and mobile banking fraud is on the increase as con artists take advantage of a range of systems and communication channels to pilfer account holders’ information and to access their bank accounts.

“SIM swapping is still perhaps one of the biggest threats, particularly because it lends itself to social engineering or dishonesty by employees in some cases. But other threats are also on the rise – for example, smartphone malware designed to steal customers’ log-in information, and spoofing attacks, where hackers produce fake messages or transaction requests so that they can pretend to be someone else.

Renou outlines the most common forms of mobile banking fraud and theft as follows:

· Eavesdropping: Criminals can eavesdrop on messages since most of these are not encrypted. From these messages, they learn valuable information, for use in their intrusions and attacks.

¬∑ Smartphones: Because they’re essentially handheld computers, smartphones are vulnerable to malware. Once a hacker has gained control of a smartphone via malware, or by a stolen phone, he or she has access to the account holder’s banking channel.

¬∑ SIM swaps: Via identity theft or with the collusion of an employee working for a mobile operator or a service-provider company, the fraudster could attain a new SIM card for a user’s cellphone number. This enables the fraudster to, for example, receive one-time PIN codes for online transactions or to use the customer’s mobile banking PIN. Of course the fraudster will need to get the user’s internet banking or banking details first which is usually done through a phishing attack.

¬∑ Spoofing: Hackers can produce a false USSD request, directing it at a USSD Gateway to masquerade as a user, while cross network roaming means that hackers can gain access to a network while masquerading as a user’s mobile phone roaming on another network. Once hackers gain access to the network, they can make and receive any type of communication on behalf of users. This includes voice, SMS and USSD.

· New methods of attack: A recent trend is to combine a SIM swap and network porting. This buys the hackers time as it takes longer to discover the crime and even longer to stop the service across two networks.

We are extremely concerned about possible future fraud attacks from remote networks. This type of spoofing bypasses the manual processes involved in a SIM swap, so it can be automated.” Renou says. “The old ways of detecting fraud are constrained and only effective against a small number of attack strategies.

“The SIM is perhaps the biggest soft spot for criminals’ attacks on user’s bank accounts,” says Renou. “But there is technology available today, for example ValiPort, which addresses this vulnerability.

These solutions secure mobile financial transactions by validating the authenticity of the originator, and that the handset and SIM card are who they say they are. Through a series of steps, the mobile banking solution can ensure that the risks surrounding spoofing and SIM swapping are effectively exposed and pro-actively managed, Renou says.

For mobile-originated traffic, the origin of the request is verified when the session starts. This means that spoofs are no longer possible and compromised SIM swapping is a thing of the past. For mobile-terminating traffic such as a PIN number sent to a subscriber via SMS or USSD Push, the destination is similarly verified before the SMS is delivered, effectively reducing the associated risks.

* Follow Gadget on Twitter on @GadgetZA

Exit mobile version