SIM swap fraud is an ogre that has continued to plague mobile users across Africa for years. Myriad Connect’s recent survey in Kenya reveals that over 90% of Kenyan banking leaders see it as an issue for their organizations with over 25% of respondents having been victims of SIM swap fraud.
The South African Banking Risk Information Centre (SABRIC) recently reported that SIM swap fraud has more than doubled in the past year in South Africa.
“But SIM swap fraud is not limited to Africa, it is a growing global issue, affecting even some of the most sophisticated technologies in the world,” says Willie, Myriad Connect Director Business Development, Africa.
Willie Kayenki, Myriad Connect’s Business Development Director in Africa cites likened recent examples in the continent with a case in which a US entrepreneur Michael Terpin is suing AT&T over an alleged SIM swap that resulted in millions of dollars’ worth of cryptocurrency tokens being stolen from his account; and another incident in which esports star Yiliang Doublelift Peng said he lost $200,000 in cryptocurrency in a SIM swap attack.
“A SIM swap, in which criminals manage to get a replacement SIM for a mobile number that does not belong to them, allows the new SIM to supersede the existing one, and gives criminals access to the legitimate user’s information and accounts,” says Kanyeki.
“This compromises the victim’s online banking, cryptocurrency or digital financial service accounts and gives SIM swap fraudsters access to all the victim’s online accounts, including email and all social media accounts. In addition to financial losses, this presents the risk of reputational damage and the exposure of sensitive data, and once fraudsters control a user’s accounts, regaining control of them can be complex.”
In the past, the market’s response to this threat has been to introduce authentication measures to protect transactions, often in the form of a one-time-password (OTP) over SMS. Recent research among leading financial services CIOs in Kenya found that 87% of financial services providers deploy OTP via SMS to protect transactions, and consumer research indicates that 71% of consumers have used services that use OTP via SMS to authenticate financial service transactions.
Kanyeki notes however, that OTP via SMS has long been considered a vulnerable channel for authenticating financial services transactions since it does not meet strict security standards.
“In 2016 the National Institute of Standards and Technology in the US identified that SMS is a risk and that OTP via SMS is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks such as SIM swap. It poses a challenge to providers using the service, as there is no audit trail, opening a door to large scale fraud through a single point of failure.” Willie Kanyeki, Myriad Connect Business Development Director, Africa
Organizations and consumers have a false sense of security when it comes to using OTP over SMS in addition to a user name and password, he notes. “This mode of authentication is vulnerable to SIM swap fraud and many other forms of attack. It can also be vulnerable to man-in-the-middle attacks, SMS can be intercepted, mobile networks can be hacked to receive the OTP SMSes, and call forwarding can be used to divert the OTP SMSes to a fraudster’s phone. Clearly, OTP via SMS is simply not secure enough to protect financial service transactions.”
Myriad Connect, now operating in the Kenyan market, helps address digital transaction fraud with out of band authentication and SIM Swap services that secure digital and mobile transactions and protect consumers and financial services.
Myriad Connect’s service is delivered across a host of different channels, including USSD, mobile app and web protecting consumers’ online accounts, transactions and digital financial services accounts.