Get Your Tech Together: Telecom Providers, 3rd Party Security, and Preventing ATOs
Account takeovers (ATOs) are a growing concern in today’s telecom market, with cybercriminals constantly evolving their tactics to gain unauthorized access to sensitive information. “According to the FBI,” said a recent Telecom Reseller article, “fraudsters stole more than $72 million via SIM swap fraud in 2022, more than double the losses the FBI attributes to ransomware over the same time period…”
The numbers don’t lie – and neither do the reactions of enraged customers, who are demanding their carriers take the necessary steps to prevent ATOs and SIM-swap fraud (also known as port-out fraud). The article continues, “The carriers are the only parties in these frauds that have the means to protect consumers from losses.” As a result, the Federal Communications Commission (FCC) in the U.S. has been fielding replies, complaints, and petitions for stronger rules surrounding providers and their responsibilities to prevent these kinds of fraud – all of which can be carried out without ever gaining access to a customer’s physical device.
While many telecom companies have security measures in place, there is a growing need for them to adopt even more robust security protocols and, importantly, to exercise greater oversight of their third-party security vendors. These vendors play a crucial role in enhancing security but can also pose a risk if not vigilantly monitored. More management on behalf of the telecom organization, outside of the need to simply comply with regulations (which will become more stringent in the near future), is necessary to ensure the safety of telecom customers, employees, and data.
Adopting advanced identity security measures within the organization, where needed, or at least seeking out providers that offer enhanced tech, is critical to the future of telecoms and the success of many businesses involved in the industry.
Understanding ATOs and SIM-swapping
ATO fraud occurs when a bad actor gains unauthorized access to a user’s online account. This type of fraud is typically carried out by obtaining the person’s login credentials through phishing attacks, malware, data breaches, and many other nefarious strategies. Once the fraudster has access to the victim’s account, they can exploit it for financial gain or other malicious purposes.
Account takeover fraud can have serious consequences for both victims and their telecom provider, including financial loss, identity theft, and reputational damage.
SIM-swapping is a costly and often overlooked form of fraud. At the beginning of this year, for example, SIM-swappers successfully stole nearly $400 million in cryptocurrency from a U.S. company. This form of fraud involves a fraudster taking over a user’s phone number. This is typically done by tricking the victim’s mobile carrier (the telecom provider) into transferring the user’s legitimate phone number to a new SIM card under the fraudster’s control. Once the port-out is successful, the fraudster can receive calls and messages intended for the real user, including two-factor authentication (2FA) codes sent by banks, social media platforms, or other online services. The bad actor can then access the user’s accounts, reset passwords, and take actions that can potentially lead to financial loss and identity theft.
SIM-swap fraud often begins with the fraudster gathering information about the victim, such as their name, phone number, and sometimes even account details, through phishing attacks or social engineering. The latter, especially, involves grave consequences for telecom providers, whose employees are (sometimes unknowingly) critical to the fraud taking place.
The hidden cost of phishing
Whether you’re a telecom organization in Singapore, Australia, New Zealand, or the UK, the hidden (and obvious) costs of phishing scams ring true around the world – and customers are carefully listening.
Other than the millions (and sometimes billions) of fraud losses incurred, the damage to an organization’s brand, fraying customer trust, poor PR, strained investor relations, and stock repercussions can tank even the most established businesses. But more often than not, organizations think too much about the bottom dollar when investing in digital identity security procedures – like authentication – and skimp on security and UX to keep costs low. This is not only dangerous for data privacy, customer identities, and employees, but could end up costing a company more in the long run than the initial investment in a highly secure offering, like biometric authentication, would’ve cost up front.
Implementing advanced protection against telecom fraud
One effective way to prevent ATOs and SIM-swap fraud is by using strong authentication methods that go beyond traditional third-party security measures.
By incorporating biometric authentication or step-up authentication for high-risk transactions, like when a user wishes to change a SIM card, phone number, or payment method, carriers can add an extra layer of security that makes it harder for fraudsters to hijack a customer’s phone number. Biometric authentication, such as fingerprint or facial recognition technology, provides a more secure way to verify a customer’s identity compared to traditional methods, like passwords or PINs.
Biometric factors can’t be lost or shared, they aren’t written down to help people remember them (or for fraudsters to steal them), and they don’t contain personal information that’s readily available to bad actors online. This makes them inherently more secure than not only passwords but any other factors available. Biometrics are also immune to the types of fraud that passwords and other knowledge-based authentication factors are vulnerable to, like phishing, social engineering, man-in-the-middle, and other kinds of attacks.
Biometric authentication is simple for customers and employees, only requiring them to, for example, press their fingerprint against a scanner or take a selfie. There’s nothing to remember and no other items necessary for the user to have in their possession.
In cases where high-risk transactions are detected, carriers can implement step-up authentication processes that require additional verification steps before the user can complete the transaction. This could include sending a one-time passcode via SMS or email, requiring the customer to scan their face, or asking them to answer security questions.
Passwordless authentication is another innovative approach that eliminates the need for passwords altogether, reducing the risk of password-related vulnerabilities.
Multi-factor authentication (MFA) combines two or more verification factors, such as something you know (password), something you have (smartphone), and something you are (biometric data), making it significantly harder for attackers to compromise accounts. Biometric MFA takes this a step further by incorporating biometric data into the authentication process, providing a highly secure level of identity authentication.
By proactively implementing advanced security measures, telecom carriers can significantly reduce the risk of SIM-swap fraud and protect their customers from falling victim to cyberattacks. It is crucial for carriers to stay ahead of evolving threats in order to maintain trust and confidence among their subscriber base.
Best practices for third-party oversight
If a telecom provider is unable (or unwilling) to invest in more advanced security measures in-house, there are ways to effectively oversee their third-party security vendors by adopting the following best practices.
Risk assessment
Conduct regular risk assessments to identify potential security gaps posed by third-party vendors and develop mitigation strategies accordingly.
Contractual obligations
Ensure that contracts with third-party vendors include clear security requirements, including compliance with relevant regulations and telecom industry standards.
Regular audits and monitoring
Conduct regular audits and monitoring of third-party vendors to ensure compliance with security requirements and prompt detection of any security issues.
Security training and awareness
Provide security training and awareness programs for company employees and third-party vendors to ensure they understand and adhere to security best practices.
Incident response planning
Develop and maintain incident response plans in collaboration with third-party vendors to ensure a coordinated and effective response to security incidents.
It is imperative for telecom providers to recognize the importance of oversight and take proactive steps to ensure the security and integrity of their networks and services.
Decreasing fraud and increasing customer satisfaction
To combat SIM-swap fraud and ATOs effectively, telecom carriers need to implement robust security measures. By staying ahead of cyber threats and either adopting advanced security practices within their organization (like the ones mentioned above) or seeking out third-party identity providers who offer enhanced protection, organizations can safeguard their digital assets and protect user identities and data from being compromised.
While the FCC and other regulatory bodies around the globe decide the best path forward, the onus is still on telecom providers to protect their customers at all costs. Rather than being left behind or feeling unprepared to adapt when stricter regulations do come into play, it’s recommended that organizations begin to seek out these digital identity solutions sooner rather than later.
How we can help
From preventing SIM-swapping to enabling remote onboarding, we’ve helped some of the world’s largest telecommunications operators protect themselves from current and emerging fraud risks, reduce average call handling time, and mitigate customer churn. Daon is a true identity partner, not just a provider, and can give your organization the most futureproof technology available today.
Learn more about our telecom security solutions.