https://commsrisk.com/australia-considers-new-rules-to-prevent-sim-swaps/
The Australian Communications and Media Authority (ACMA) has proposed new rules that would force telcos to implement tougher
checks of a customer’s identity before completing ‘high risk’ interactions such as issuing replacement SIM cards.
Unfortunately, there is clear evidence that scammers continue to target SIM
swap processes, with some data sources indicating
ongoing harms have increased. ACMA analysis shows that between January and
May this year, more than 80% of mobile number fraud
resulted from unauthorised SIM swaps.
We have data from government agencies, telecommunications providers and
other bodies that provide a strong indication of about
/(sic)/ ongoing realised harm. We estimate the average loss per mobile
number fraud to be $28,715 [USD20,870] and we are aware
consumers are likely to under-report fraud to authorities due to
embarrassment and reputational issues.
SIM swaps are the main current motivation for increased controls but the ACMA wants rules that anticipate the way fraudsters adapt
their methods.
There is also emerging evidence that scammers are targeting other
telecommunications customer interactions. For example,
scammers have used personal information to facilitate other types of fraud,
such as ‘purchasing’ expensive handsets on a
customer’s account or gaining full access to customer accounts and payment
details. This suggests that if fraud from
unauthorised SIM swap is prevented via new obligations, scammers will
quickly pivot to target other points of weaknesses.
The ACMA wants multi-factor authentication (MFA) of “all customer interactions at high risk of fraud”. Their proposals outline
three examples of MFA.
* Manual/visual comparison of a person’s face against a photograph on a
primary piece of evidence
* Verification of a biometric template collected at registration against a
biometric template held by an authoritative source
* Knowledge-based authentication
Some Australian telcos are already using MFA to reduce fraud.
In taking this step, we note that some providers have already introduced
multi-factor identity verification arrangements, or
are in the process of doing so, under guidance material developed by Comms
Alliance. It is demonstrable that providers that
have already implemented these processes are experiencing significantly
less fraud involving their customers.
The ACMA would normally allow telcos to succeed with their voluntary efforts before imposing new obligations, but this time they
want regulations to be in place so they can take enforcement action against any laggards. They also want the freedom to quickly
extend these rules whenever new fraud risks become apparent.
It seems unlikely that Australian telcos will raise objections, though some may want more detailed rules from the ACMA. The
current proposal is vague in several areas. For example, there is no exhaustive list of situations that require MFA. It is clear
what is required when asking a member of staff to compare photo ID to somebody’s actual face, but the standard for knowledge-based
authentication could vary greatly. Questions might be as tough as reading out a code from an authenticator app or as trivial as
asking the maiden name of the customer’s mother.
The deadline for responses to the ACMA consultation is December 15. You can read the ACMA’s proposal here
<https://www.acma.gov.au/consultations/2021-11/proposal-make-telecommunications-service-provider-customer-identity-verification-determination-2021-consultation-392021?utm_medium=email&utm_campaign=ACMA%20consults%20on%20new%20telco%20rules%20to%20prevent%20identity%20theft&utm_content=ACMA%20consults%20on%20new%20telco%20rules%20to%20prevent%20identity%20theft+CID_71a7ce49ad7c9069c645cb2db8b97782&utm_source=SendEmailCampaigns&utm_term=making%20new%20rules>.
--
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:[email protected] aim://kimholburn
skype://kholburn - PGP Public Key on request
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
