André Tenreiro, a Computer Emergency Readiness Team member at one of Mozambique’s largest phone carriers, told WIRED, April 26, 2019, that around a year ago, he was called in for a meeting with his company’s CTO and an executive of the country’s largest bank to discuss fixes for the increasing SIM swaps.
From 17 to Nearly Zero SIM Swap Frauds Overnight
Cases related to SIM swaps had been mounting up and Mozambique’s largest bank realized the threat it posed. Increasing concerns had an executive from the bank meet with one of the most widely used phone carriers’ CTO and André Tenreiro to discuss emergency countermeasures that could be deployed.
Tenreiro told WIRED that he was notified that the bank witnessed an average of 17 SIM swaps each month. The executive looked desperate to find a solution to this, but he was clueless as to what could be done about it, and that’s where he wanted their help,.
“The gentleman from the bank, I could see by his face he was desperate [to find a solution],”
Hackers use SIM swaps to either read one-time passwords sent via text before carrying out a transaction or use the phone number to reset account passwords. To this, Tenreiro and his CTO proposed a that they would lay out a system to let the bank check the phone records to detect any recent SIM swaps related to the bank account before a transaction could be completed through it.
If detected within the last two or three days, the transaction would be blocked. This would allow victims the required time to report the crime before they could be defrauded.
The bank soon started checking for SIM swaps with all major carriers in the country, and this simple, yet effective solution “reduced their SIM swap fraud to nearly zero overnight.”
US Telcos Resist Sharing Real-Time SIM Swap Data
From hacking Instagram accounts to stealing cryptocurrencies, SIM swaps have recently become a common way of defrauding people. WIRED found through their interviews with security firms, executives in the banking and telecom industries that the above practice has become prevalent in other African nations such as Nigeria, South Africa, and Kenya. Even the UK and Australia have gotten to grip with this solution. The US, however, doesn’t seem to budge.
When asked, security firms and banking executives blamed the US phone carriers for not willing to share real-time SIM swap data. Telesign a security firm, offered to facilitate SIM swaps fraud-checking to US banks but failed because most phone companies resisted working with them.
Stacey Stubblefield, Telesign’s co-founder stated:
“Long story short, the data isn’t available from most US carriers.”
WIRED even reached out to major US carriers but didn’t get any direct responses, though some of them referred the questions to CTIA.
According to the VP of technology and cybersecurity at CTIA, John Marinho, US carriers not offering real-time SIM swap checks is partly because “the US has other protections, like geolocation checks based on banks’ mobile applications installed on smartphones, and two-factor authentication.” The WIRED article noted, that the latter is exactly what hackers try to pass through by using SIM swaps.
Marinho also told that implementing the above would raise privacy concerns, which the US carriers cannot afford. However, Tenreiro had already mentioned that the fix caused the least of privacy concerns as the API only responded to banks’ SIM swap data request without leaking any other information.
All the operators do is reply with a binary response ‘Yes/No’ whether the subscriber has conducted a SIM swap within the last X days. We believe the privacy exposure is minimal.
Allison Nixon, director of security research at security firm Flashpoint, says that she’s unaware whether telcos are even planning on offering this or are they just waiting for the government to act. But, she says, something like this has to happen.