NAIROBI, Kenya, Oct 24 – Over 25 percent of Kenya’s 43 million mobile users have been victims of SIM swap fraud, either as targets or victims, according to a survey by Myriad Connect.
The survey also reveals that 90 percent of Kenyan banking leaders see SIM swap fraud as a serious threat in the sector in what is becoming one of the rising global crimes involving mobile phones.
The most recent high-profile case is where US entrepreneur Michael Terpin who is suing AT&T over an alleged SIM swap that resulted in millions of dollars’ worth of cryptocurrency tokens being stolen from his account
While in South Africa, the South African Banking Risk Information Centre (SABRIC) reported recently that the incidence of SIM swap fraud has more than doubled in the past year.
“A SIM swap is when criminals manage to get a replacement SIM for a mobile number that does not belong to them, allowing the new SIM to supersede the existing one, and give criminals access to the legitimate user’s information and accounts,” says Willie Kanyeki, Myriad Connect Director Business Development – Africa.
Kanyeki adds that in addition to financial losses, SIM swap presents the risk of reputational damage and the exposure of sensitive data, and once fraudsters control a user’s accounts, “regaining control of them can be complex.”
In the past, the market’s response to the threat of digital transaction fraud has been to introduce authentication measures to protect transactions, often in the form of a one-time-password (OTP) over SMS.
Recent research among leading financial services CIOs in Kenya found that 87pc of financial services providers deploy OTP via SMS to protect transactions, and consumer research indicates that 71pc of consumers have used services that use OTP via SMS to authenticate financial service transactions.
“However, OTP via SMS has long been considered a vulnerable channel for authenticating financial services transactions, as it does not meet strict security standards,” says Kanyeki.
In 2016 the National Institute of Standards and Technology in the US identified that SMS is a risk and that OTP via SMS is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks such as SIM swap.
It poses a challenge to providers using the service, as there is no audit trail, opening a door to llarge-scalefraud through a single point of failure.