Australia’s telcos are stepping up efforts to combat identity theft and fraud by cracking down on simjacking, making it more difficult for scammers to get away with hijacking mobile phone accounts via unauthorised SIM swaps and number porting.
Multi-factor authentication has become a key way for people to protect their important accounts, such as online banking. It often relies on your bank sending you a one-time code via a text message, which you must enter when transferring large sums of money. This extra security step prevents scammers from cleaning out your bank account, even if they have tricked you into handing over your login and password.
Simjacking allows scammers to defeat multi-factor authentication by intercepting these text messages.
After gathering enough information about you – perhaps just your name, date of birth and address – the scammer calls a telco and pretends to be you. At this point, they ask the telco to port across your mobile number from your current service provider, so the scammer can receive your text messages. Alternatively, the scammer might call your existing telco and request a replacement SIM for your number.
Once they have control of your mobile phone number, scammers act swiftly – accessing your online banking and then receiving the one-time SMS code so they can transfer money from your account. By the time you realise that your mobile phone has stopped working, it is usually too late.
Telcos warned to combat simjacking
The Australian federal government put the industry on notice after SIM swap fraud rose by more than 100 per cent in the first quarter of 2021, compared with a year earlier.
On average, victims lose more than $10,000 through identity theft from mobile number fraud and can be left struggling to regain control of their identities for long periods of time, according to the Australian Communications and Media Authority (ACMA).
Telstra, Optus and Medion Mobile were issued with formal warnings in May 2021 after the ACMA found they failed to adequately verify people’s identities prior to transferring their mobile phone numbers from other telcos.
Under new rules introduced in early 2020, telcos must have more rigorous customer verification processes in place, such as multi-factor or in-person identification, to help combat simjacking.
“Historically it has been too easy to transfer phone numbers from one telco to another. All a scammer needed to hijack a mobile number and access personal information like bank details was a name, address and date of birth,” says ACMA chair, Nerida O’Loughlin.
“We are cracking down on telcos that don’t follow the rules and leave customers vulnerable to identity theft.”
Telstra introduces simjacking safeguards
Telstra has responded with new safeguards, raising a red flag with banks when a one-time code is sent to a mobile phone number which has recently undergone a SIM swap or number porting.
“To help keep you safe, when a request is made to us by a banking organisation we’ll provide a rating (in the form of a number on a risk scale) which gives an indication of whether there has been any recent SIM swaps or port out activity for the mobile service you’re using as a form of identity with that organisation,” says Michael Ackland – Telstra’s Group Executive Consumer & Small Business.
Telstra provides these ratings to banks in real time via an API, when banks request them as part of their own risk assessment processes.
For example, if a bank customer requests to withdraw or transfer a large amount of money, the bank may use this API to give an indication, in real time, whether there has been any recent activity for the mobile service which could indicate that the person making the request isn’t who they say they are.
Telstra is also adding extra security layers to its accounts by enabling MyTelstra app users to use Facial Biometrics and a Telstra PIN – making it more difficult for scammers to impersonate customers.
“When you sign up with Telstra for a phone plan, broadband service or even just as a pre-paid customer, we believe we have a duty of care to keep you safe from threats that come in from outside the network,” Ackland says.
“While we will never prevent every scam or cyber-crime, our aim is to prevent as many as possible by making it as hard as possible for scammers to succeed.”