Chances are you’ve tried logging into a mobile app with a password and received a six-digit one-time passcode (OTP) via text message (SMS), which your phone conveniently populated into the spaces provided. The app opens, and you may feel a flash of appreciation for this extra layer of protection.
Don’t get too comfortable. By using a fraud type called SIM swapping, criminals can take advantage of phone-based two-factor authentication (2FA) to hijack your mobile phone number, attach it to a new phone, and then use the device to gain access to sensitive personal data and accounts. This article provides a step-by-step explanation of how SIM swapping happens, and prevention steps are included at the end of this article.
A nightmare on your phone
SIM swapping can be a nightmare. Last year Las Vegas investor Michael Terpin lost up to $24 million in crypto currency, after hackers took over his phone number. The Wall Street Journal reports, “Within minutes, the hackers began trying to take over his Gmail accounts, using Google’s ‘Forgot password?’ account reset feature. With access to his phone number and email, they were quickly able to steal millions in cryptocurrency from digital wallets Mr. Terpin believed to be secure.”
Nick Selby, director of cyber intelligence at the New York City Police Department, told The Journal that SIM swappers can operate with surgical precision. Within minutes of breaking into a victim’s Gmail account, they will scour through old email messages looking for any evidence of financial accounts—cryptocurrency accounts for sure, but also social media, bank accounts and even IRAs.
Consumers support additional authentication
The good news is, consumers are ready and eager to participate in their mobile financial safety. OTPs are the most popular mobile phone-based technology to secure accounts; FICO’s recent Digital Banking Study of consumers across 10 countries found that, on average, a little over half the people surveyed were prepared to use this authentication method. However, while OTPs are still a valuable form of authentication, they are vulnerable to SIM swap fraud, and so must be part of a layered and risk-based approach to authentication.
Fortunately, the survey shows that acceptance of biometrics to secure accounts is now wide spread. In the US, 65% of survey participants said they would be happy to provide a biometric identifier to their bank—60% said a fingerprint is acceptable, 29% are comfortable with an eye scan, and 37% said a facial scan is acceptable.
The consumers surveyed were even more enthusiastic about having behavioral biometrics involved in their security. Seventy-eight percent said they would be happy to have their bank analyze, for example, the way they type in their password.
Prevention requires multiple types of authentication
Biometrics are an ideal cornerstone of an effective, layered approach to identity authentication because they’re easy for customers to use and rarely change over time. For example, the latest fraud authentication services are based on user behavior and device telemetry, as well as one-time passcodes, tokens, facial biometrics, voice biometrics and more. Banks can use these capabilities to strengthen the protections they already offer, such as detecting potential fraudulent on payments you make in person, online or with your mobile phone.
Behavioral biometrics and device telemetry are among the most advanced ways to establish your identity. These capabilities non-intrusively examine user patterns (such as keystroke analysis of the way you enter your password), geolocation, and other behaviors around your device, such as your gait and which browser you prefer. Subtle patterns in the way you use your device create a behavioral signature that is unique to you, which can be assessed without asking you to perform additional tasks.
In expanding the menu of biometric options, voice signature capabilities in the Falcon Authentication Suite allow users to enroll in online and mobile banking by saying a short phrase, such as “I love baseball!” three times while taking a selfie. This is data is stored as mathematical representations, and is encrypted “in flight” and “at rest” for maximum privacy protection.
By layering voice as an additional biometric factor specific to the bank account (rather than the device), users establish a way to prove their identity when accessing the mobile banking app.
Ways to protect yourself
As banks expand the range of biometrics offered, customers should take advantage of these new authentication choices to help secure themselves. In the meantime, here is a list of ways you can help protect yourself against becoming a victim of SIM swap fraud.
- Online behavior: Beware of phishing emails and other ways attackers may try to access your personal data to help them convince your bank or cell phone carrier that they are you.
- Passwords: Use unique, strong and long passwords that only you know for all of your accounts – even your Gmail. Why? The neat graphic below [DS1] shows how long it would take to brute-force hack your password. Also, use a password manager to keep all of your information organized.
- Account security: Set up multi-factor authentication wherever it’s available. If your phone carrier allows you to set a separate passcode or PIN for your communications, consider doing it as additional layer of protection.
- IDs: Don’t build your security and identity authentication solely around your phone number(and the text messages your phone receives, which are not encrypted).
- Authentication apps: Google Authenticator and other similar apps give you two-factor authentication tied to your physical device, not your phone number.
- Dark web alerts: Monitor your credit score with the my FICO app and additionally receive alerts if your personal information is sold on the dark web.