TransUnion Fraudcast Ep5: SIM Swaps and OTPs

Jason Lord:
Welcome to the TransUnion Fraudcast, your essential go-to for the absolute linkages between the day's emerging fraud authentication topics, trends, tropes and travails delivered with all the straight talk and none of the false positives.

I'm your host, Jason Lord, VP of Global Fraud Solutions.

Now, regular listeners of the Fraudcast know that in each episode we narrow in on a specific subtopic within the fraud and authentication universe, bringing on a special guest to help us dive in while keeping it high level enough that you don't need a PhD in data analysis to understand the topic. Because let's face it, life is complicated enough.

Speaking of complicated, mobile phones are ubiquitous and you might be listening to podcasts right now on a mobile phone.

And besides communicating, we also shop, manage our money, navigate, check social media and organize our lives around our smart smartphones.

And if you're like me, you might have some constant low-level anxiety about misplacing your phone or running out of battery –– but completely losing control of your phone to a fraudster is a whole different level of nightmare.

And that's exactly what a SIM swap is: an unauthorized subscriber identity module, or SIM swap, means someone has an exact copy of your phone and can use it to intercept one-time passcodes and take over your personal accounts, inflicting significant chaos and financial damage before you even realize what's happening.

Now, the FBI ties $72 million in 2022 consumer losses directly to SIM swaps. And yet almost half of FI fraud professionals indicated in a 2022 Forrester survey that they lack any solutions to deal with the problem.

So can SIM swaps be stopped, and do they spell the death of that universal step-up authentication measure, the OTP?

Here to discuss the topic with me is an expert in all things step-up authentication, Don Smith, Product Manager for Authentication Solutions at TransUnion.

Prior to TransUnion, Don worked for more than 13 years at a top-five U.S. bank on consumer identity and multifactor authentication, and this is Don’s second appearance in the Fraudcast. Welcome to the Fraudcast, Don.

Don Smith:
Thanks for having me.

Jason Lord:
So Don, tell me a little bit more about a SIM swap. How does it work?

What does a fraudster do to get a hold of the consumer’s phone?

Don Smith:
Sure. I'll delve into SIM swap, but I also want to bring up porting.

So the distinction there: A SIM swap is when a customer's SIM card or phone number is taken from one carrier, Verizon to another carrier, T-Mobile.

A port is when the customer’s phone number stays within that same carrier, but it may go to a sub-carrier, or as we refer to it, as an MVNO.

All of our big carriers are MNOs, AT&T, T-Mobile, Verizon, but all of them have sub-carriers that work under them that run on their rails but don't follow the same data quality standards as the MNO.

So to your back to your question, what is a SIM swap?

A SIM swap is when a fraudster takes over another customer's device in a couple of ways.

One: social engineering. So they'll call an MNO carrier and say, hey, I've lost my phone. Here's my information.

Could you please cut it back on for me.

Jason Lord:
And as we've talked about in the past, the call center agents tend to be people who are designed to be helpful, not necessarily look for fraud.

And so they're an easily easy target for fraudsters.

Don Smith:
Yes, absolutely. They also –– as I joke with my wife, as long as there's fraudsters I’ll always have a job –– but they will look for phones or targets that are not widely used, or seldom used, have low traffic, so that the original owner of the phone will oftentimes take a day or two to realize that their phone actually doesn't work anymore.

Umm, so that again that SIM swap is there the porting is there but that's social engineering.

Jason Lord:
And by the way that that, that, that two days or so that's significant because fraudster can do a lot of damage in two days before the victim knows what's going on.

Don Smith:
Absolutely.

Jason Lord:
I've heard of cases where hundreds of thousands of dollars of people's accounts are being taken out before the person understands what's happening.

Don Smith:
I don't want to go off on a tangent, but someone took over one of our big cryptocurrency companies and drained it within hours, not to mention days.

I have also seen first-party fraud. When I worked at that bank, we had an account where the fraudster was the twin brother. Because he looked enough like him, he could pass.

Jason Lord:
It sounds like a Lifetime movie. That's incredible.

Don Smith:
Trust me, it took us a while to work through that one, but there's multiple ways to get through to obtain a phone fraudulently.

Jason Lord:
So it's not, it's not, you know, I might have assumed at first it was some technology issue like the SIM card being taken out of the phone, and probably that could work too, but it more than likely is a social engineering thing with the call center agent, at like a Verizon or something like that.

Don Smith:
Correct. And we can get it.

I think we'll get into this a little bit later, but with the inception of the iPhone 13 and beyond, not only do we have to worry about SIMs, we have to worry about e-SIMs. So the carriers have not made our job easier, they've actually made it a little more difficult.

Jason Lord:
So what makes SIM swap so hard to detect and hard to stop?

Whether you're you know, a Verizon, I don't want to pick on Verizon, T-Mobile an AT&T, any of those –– or also if you are, say, a bank and you're the victim of it as a result of the SIM swap.

Don Smith:
So there's quite a few things that made it hard to detect.

One is the quality of the data that we get from the carriers.

So I mentioned MNO, the major carriers there, there’s also the MVNOs. The carriers do an adequate job of telling us when a SIM swap occurs.

When I say adequate, if you go back three, four, five years, they actually used to give us the exact date and time when the SIM swap occurred. In an effort to protect their customers, they've actually gone away from giving us exact date and time to a time zone or date range.

So say zero to one day, one to three, three to five, five to seven.

The European –– we, we won't get off on that tangent –– but the European companies actually do a really good job of that. It's just in the United States where they have, I'll say, taken a step backwards in the data they give us.

What further complicates that is when a customer has a phone on an MVNO, a mobile –– it's a sub-carrier that runs on the carrier's rails, but the carrier does not think or treat that MVNO's customer as their own. So the data requirements for that MVNO are much less than the MNO, so just the quality of data, or lack thereof, is the biggest part.

And the fact that we no longer get that detailed data we get like I'll say, bundled data –– that makes it harder to detect.

Jason Lord:
If you were to talk to a bank, would the bank think of the problem in the same way that you're describing it?

And I ask because this it's a pretty technical way that you're describing the problem; is that the way a financial institution is thinking of the same problem?

Don Smith:
It would probably depend on the financial institution –– the one I came from did.

But other banks are looking at it in a similar fashion.

To be honest with you, what I've seen with some banks is they don't even consider SIM swap fraud until unless it's absolutely necessary.

So again, coming from the FI I was at, we considered looking at SIM swap making that call to the carrier.

I’ll take a step back if you don't mind.

The big problem with SIM swap is: That data is solely owned by the MNO, or the carrier.

You cannot obtain it anywhere else, so you have to go through the proper channels to get that data.

Some FIs consider looking at SIM swap for any, what they call a high-risk transaction from a banking perspective, they have login and then everything else is a hybrid transaction.

Some banks don't look at it that way.

Some banks only will do a SIM-swap check or porting check when they are doing a high-value transaction on Zelle, or money movement of some sort.

I think more and more banks and institutions are looking at SIM and port as a more real fraud vector now than they have in the past.

Jason Lord:
But that's a little surprising, to be honest with you, because it's not that we're hearing about SIM swap for the first time, it's been on national news for quite a while.

You can tune into an ABC News program and see a victim of a SIM swap.

So why do you think that it's taken so long for the institutions to catch up?

Don Smith:
Umm, AT&T didn't help anybody.

I'm not sure if you're aware or not, but like seven, eight, nine years ago they made the declaration that they weren't going to sell data to aggregators.

Because of that, anybody who wants to get AT&T data has to have a contract directly with AT&T data.

I happened to have the honor of being the first to attempt that with the institution I was at, and it took a full year just to put a contract in place to get to the AT&T data.

So they…again…the carriers are not doing us any favors.

I understand what they're trying to do from their customer’s perspective, but I think it's a little short-sighted in the fact that to your point earlier, we use phones for everything, everything.

I mean, people bank on phones more than they do websites right now.

Protecting that customer, to me, goes beyond protecting that data at the carrier.

It's making sure that we can clearly define and identify that person, regardless of what they're doing, regardless of what interaction they're doing, to make sure that not only we're protecting their data, we're protecting their money, we're protecting their identity. And SIM swap is, to me, a huge factor in that.

Jason Lord:
Now, you come from a bank or a banking background and it makes sense that we'd be talking about this in the context of financial institutions, because that's where a lot of our money is that we need to protect.

But is this an FI-only problem, or do you see this problem in other areas as well?

Don Smith:
Absolutely not. It spans all industries, to my knowledge.

I think the banking industry is, to your point, where it's most talked about because of the financial aspect.

But if you look at everything we do with the phone today…I have to authenticate with my TV if I want to sign up for YouTube TV. I have to authenticate with it when I go to almost any app now, any app you're asked to do 2FA, or multifactor authentication, so it's really morphed into every aspect of our lives, not just financial.

Jason Lord:
And some organizations, and some fraud professionals, have talked about this in terms of a death knell for OTPs to say that, well, because they're so vulnerable, we can't use OTPs anymore. We have to think of alternative forms of multifactor authentication.

Do you subscribe to that point of view?

Don Smith:

I won't say I subscribe to it holistically. I don't believe OTPs will ever go away.

Within the last couple of years, we've gone away from sending, or at least most corporations have gone away from sending OTPs to emails because of the vulnerability.

The OTPs to the phone are safer.

I think at some point we will have to layer on something on top of that OTP, but I think OTPs are –– I won't say here to stay, but I think they by and large, it's going to be hard to get rid of them just because of the ease of use.

The comfort level of folks using those.

No, and we'll probably move to something FIDO related. As a matter of fact, I'm starting to work on a product such as that where things are passed without customers having to enter anything.

But I don't see OTP going away, at least not in my lifetime.

Jason Lord:
You bring up a couple of important points.

One is it's accessible, so you don't need to, if you're thinking about an older generation or somebody who maybe does not have does not have access to certain technologies...

An OTP is almost ubiquitous.

It's almost universal in terms of people being able to access it, and it's just so second nature to us. To try to retrain people at a new form of authentication, that's seems like an uphill battle.

Don Smith:
You're exactly right.

I'll give you an example: The US military –– in previous life we had to solve for when we took away email, you couldn't go through email anymore to get an OTP, we had to make an exception for the time being for the military because those folks are traveling or overseas and may not have access to a phone or access to Internet, for that matter, for days and weeks.

So those are the use cases where I think it will continue to be used heavily and as you mentioned, the older generation probably is not as willing to go to a newer technology, just because of the trust level or the unknown.

Jason Lord:
I'm 43 and I realize how old I was when I stopped being interested in new technologies, and so I have a great deal of sympathy for anyone who's older than me, if they're being asked to be retrained on a technology.

Don Smith:
I have pretty much given up with my parents.

Jason Lord:
So now the FCC is proposing new rules to protect consumers from SIM swapping, and presumably porting as well, by requiring wireless providers to use secure authentication methods before completing a SIM swap, and to notify customers.

Do you think this is going to end the problem of SIM swaps?

Don Smith:
I don’t believe it will end it. It may curb it somewhat, but fraudsters will always find a way to game the system in order to get what they want.

With the man in the middle attacks with again social engineering…we need to do a better job of trying to protect social engineering, but it is what it is in that these guys are so good at what they do, they can pretty much manipulate people that are, to your point, trained to help them commit fraud unknowingly.

Jason Lord:
As long as there's enterprising fraudsters, which there always will be, and as long as there are marks or victims, which there always will be, fraudster will find a way around the legislation of the technology.

Don Smith:

Absolutely.

Jason Lord:

So we're saying OTPs aren't going away.

We're saying the legislation's not going to protect us from the problem of SIM swapping.

Is there any optimism in your mind?

Is there a way to protect against this form of fraud? And essentially what we're asking is there a way to make sure that the OTP goes to the customer and not the fraudster?

Don Smith:
Uh yes, I believe there are ways we can combat it.

So I mentioned before I'm a huge fan of data.

When the carriers pulled back from the level of data they were giving us and they introduced e-SIM, it made our job harder and I've been petitioning without much success so far to the carriers to give us more data, give us information and maybe if we don't get from them, we actually made a note right before this meeting to focus more on velocity for SIM and port.

Not only that a SIM or a port happened, but how frequently is it happening for that phone number? If a fraudster by and large is going to use whatever phone they have available.

If, for example, the carrier could give us information on the operating system that was on that phone on the original phone and the fraudulent phone, new fraudsters aren't going to buy a brand new iPhone to commit fraud.

They may commit fraud on a brand-new iPhone, but they've got an iPhone 7 or 8 sitting around that that's plugged up, ready to go, and if we can get that information, we can more accurately detect that the OTP is going to the person that we said it is.

Right now our approach, and one of the things I'm working on with this new TruValidate platform, is we take multiple approaches on ensuring that the actual customer is the OTP.

We do an identity check to make sure that the phone number below matches the identity of the customers that we have on file, using loads and loads of identity data.

We look at the phone attributes themselves –– and this is again what I'm asking the carrier for –– and more information, more detailed information, and starting to collect it ourselves.

And then we do what we call the MNO check to see if a SIM swap report is happening within the last couple of minutes.

Jason Lord:
Now I will jump in for just a second to do a commercial on your behalf, because what you're referring to is TruValidate Phone Takeover Risk, which is a really unique solution because of those direct relationship with MNO carriers, the phone carriers that you were referring to before.

Essentially customers of TransUnion can ping TransUnion to understand if one of these activities is taking place prior to sending the one-time passcode so that they can know, oh –– something anomalous has happened, I probably don't want to send that one-time passcode, and that can mitigate the risk of possible account takeover.

Please continue Don –– I just want our listeners to know theoretically there's actually a solution out there.

Don Smith:
I appreciate that. So having that data, having this new solution where that we're building on that new platform, I believe, will help us more clearly define what I'll refer to as a good SIM swap versus a bad.

The only good SIM swaps that I've ever seen are when I go to Verizon and I get a new phone tied to my same phone number.

That's a legitimate SIM swap: I'm upgrading my phone. I'm not trying to take it over for fraudulent purposes.

Everything else, I think by getting better data, by getting more data, than we can start to determine the fraudulent SIM swaps and make sure we can protect our customer.

Jason Lord:
Well, and it's worth pointing out here –– this is something that I say on almost every one of these Fraudcasts –– is just because there’s a signal that indicates risk doesn't mean it's necessarily fraud. What it means is you just want to take some additional steps before you take the next action.

So to your point, a SIM swap doesn't mean fraud, necessarily, but it does mean that you shouldn't just blindly send the OTP.

You should probably do something else before sending it.

Don Smith:
Agree.

So those other attributes I was talking about, so if we detect a SIM swap then we could drop back to that velocity data, go OK, this customer's last SIM swap was two years ago on an iPhone 13, and now they're upgrading to an iPhone 15.

That’s a legitimate SIM swap.

Jason Lord:
Right.

Don Smith:
As opposed to not having that information.

So I think, again, data is king. A person I used to report to once said that; it's kind of stuck with me.

The more data that we have, to your point, the signals we can look at that sensor and go eh, we’re going to do something else based off the fact that we see a SIM swap –– was it good or bad…do we think it’s fraudulent or not?

Jason Lord:
So now if I'm of fraud professional at a bank or at a retail store or a government agency, and I'm listening to this podcast, what would you recommend to me as a next step, an immediate next step to help protect against these types of account takeovers, from OTPs being intercepted?

Don Smith:
The short answer is reach out to us and let us know how we can help you.

But to take a step back and look at it, because the one thing that we can help with is identifying fraud.

I've often said that our customers have the risk, so they ultimately own the fraud laws; they own the risk tolerance.

We can provide information to them that gives them enough information to make educated decisions on what their risk tolerance is and what they think their fraud losses are.

Just look at your fraud losses today. Take a look at a product we’ve mentioned here, Phone Takeover Risk, that looks at all those legs of the product and see –– because I will almost guarantee you that your fraud losses will go down once you start using a product (Phone Takeover Risk) that would help identify those potentially fraudulent transactions.

Jason Lord:
I would say this is easily the most infomercial-like Fraudcast we've had yet, but I think part of the reason honestly, Don, is that there's so few times that the answer to the question is directly a solution. In this case, it happens to be, so I appreciate it.

Don, I want to thank you again for your time.

Thank you all for tuning in and we hope you we hope you join us for an upcoming Fraudcast.

In the meantime, please stay smart and stay safe.