For all the headlines, though, the extent of the problem is unclear. Most SIMS are requested by legitimate customers; fraudsters account for a reasonably small number of total activations. Yet despite this, the issue is attracting increasing attention. Why? For one thing, there’s evidence the problem is increasing, partly driven by the ubiquitous growth of SIM-reliant technologies like IoT. And for another, when it does occur the extent of the loss is typically high. In the UK, it’s believed to be around £4,000 (US£5,150) per instance.
For the telecommunications industry, this presents a challenge. And given that SIM fraud only comes to light after the crime has been committed, the onus for Mobile Network Operators must be acting quickly to shut the barn door before the horse bolts. This is doubly the case because the correlation between SIM fraud and our ever-increasing reliance on mobiles to verify our identities, especially when using SMS messages as a second authentication factor, is clear. We can be confident that If it’s not addressed, SIM fraud won’t decline and will probably get worse.
The importance of acting to confront the problem as a matter of urgency is underlined by the fact that while revenues from retail SMS are in general decline, application-to-person (A2P) SMS revenues are growing, and SMS messages for two-factor authentication (2FA) have been a significant contributor in that trend. It’s been estimated that global A2P revenues will rise to USD26bn by 2022, with two-factor authentication SMS’ representing almost 20 percent of the total.
This may in part explain the increase in MNOs purchasing new technologies to address the fraud issue an it underlines how seriously the problem is now being taken. Telecoms companies are only too aware of the need to deploy solutions that access critical systems and services as part of a multi-factor authentication (MFA) approach. While it may be efficient and convenient as a means of communication, SMS is only viable (let alone profitable) if it’s safe.
Here, telcos must confront a basic design limitation. For all its efficiency, SMS was never intended for ‘high risk’ content and as a result, there are several weaknesses within the SMS ecosystem, especially when the message content is of high interest to hijackers. This is a reality the latter are increasingly attempting to exploit. One example of an attractive target is Banking, where Financial Services and Insurance (BFSI) organizations provide a range of financial products or services to their customers frequently using an SMS platform to:
- Send important information to their customers
- Send one-time passcodes to their customers to confirm a questionable transaction
- Transmit personalized promotions or offers
In these and other cases, there is a clear need to harden security in the network. While the 5G standard is encrypting the IMSI which makes such hijacking more difficult, in 2G, 3G and 4G networks, which will remain extant for the foreseeable future, the IMSI remains unencrypted and thus a big security risk.
TIME TO ACT
What, then, to do?
At Evolving Systems, our patent pending Secure SMS solution means Mobile Operators can now promote the capability of securing SMS messages to their Enterprise customers with confidence, via a standardized and intuitive interface. Secure SMS reduces the fraud window for potential hackers who are attempting to intercept targeted SMS messages. With several different validation points and prerequisites possible across the SMS journey, the solution helps to make sure that the SMS intended for a subscriber is not hijacked and is received as originally intended.
How MNOs choose to proactively tackle SIM fraud is evolving, but that they must address the issue immediately is becoming ever clearer. This is a solution area yielding technologies that are becoming table stakes components of the telco infrastructure.
At Evolving Systems, we’d welcome the opportunity to discuss the challenge and our own Secure SMS solution in more detail. If you’d like to learn more, please click HERE.