In a world of sophisticated cybersecurity, what does it take to set off a crippling breach that can loot your bank account and pillage your personal information?
A phone call to customer service.
“Imagine that you have a SIM with one of the large carriers in the U.S. right now,” said Ravish Patel, senior director of product management at TeleSign, a digital identity and programmable communications company. “Fraudsters would call the call center. Because they have your data, due to various data breaches and other social engineering methods, they can convince them, ‘This is so and so calling. I have lost my SIM card. Can you please provision a new SIM card and send it to me or update my SIM card accordingly?’”
What Patel has outlined is a SIM swap attack, whereby a bad actor can persuade carriers to port a targeted phone number to a SIM card in their hands. The consequences of this fraudulent activity, even if identified swiftly, can be dire.
“Fraudsters could essentially hijack your entire digital identity and existence online fairly quickly, depending on the platforms you use as an individual consumer,” said Lis Pepin, senior manager of business operations at TeleSign.
And while precautions like two-factor authentication theoretically patch vulnerabilities, once an attacker successfully swaps — thereby steering SMS verification codes their way — the keys to the castle, and the digital bounty inside, are effectively relinquished.
Fraudsters could essentially hijack your entire digital identity.”
“I can put the most sophisticated lock imaginable on my front door,” said Josh Embree, a data scientist at TeleSign. “But if I hide the key under the mat, I'm only as secure as somebody not finding it.”
How, then, to overcome the seemingly insurmountable? By tapping into the power of machine learning to assess potentially fraudulent activity, the team can keep clients and their end-users safe, while mitigating the havoc wreaked by mobile malcontents.
A widespread fallout
The ramifications of a SIM swap are far-reaching and undermine oft-used lines of defense.
Patel: Once fraudsters have control of your SIM card, they can take over any of the accounts that you have. Imagine your phone number is associated with one of the large email providers. They will get to that particular account, and from there, they can get to your bank account and empty it.
Pepin: Typically, we anticipate the most damage happening within roughly 12 hours after a SIM swap occurs. Some of the industries that we see most affected are e-commerce, banks, crypto accounts, stock portfolios and social media.
Embree: The key assumption of two-factor authentication is that the individual user who signed up and put in the mobile number is holding that mobile number indefinitely. When you say, “I forgot my password,” you're now removing one of the two factors in the authentication and relying solely on the mobile number. If someone gets my mobile number through a SIM swap, that's the key vulnerability. Being able to flag that the SIM swap happened is another layer of security in that component.
Once fraudsters have control of your SIM card, they can take over any of the accounts that you have.”
Raising the flag in real-time
Not all SIM swaps are malicious. Sussing out what’s fraudulent or genuine requires technology that won’t polarize users with false alarms. The aim: assessing, and responding to, the actuality of a true positive.
Patel: Imagine a suspicious transaction happens on a large platform. We check downstream with carriers in real time to understand if the SIM associated with that particular phone number, or the device associated with that phone number, was powered on a few minutes, hours, days, etc., ago. We try to understand when that change happened. Using that information, we are able to understand if fraud is in progress.
This is where the TeleSign data science team is helpful in reducing false positives. Being able to identify if that particular SIM swap activity was fraudulent or genuine is important.
THE FALLOUT
Embree: Ideally, we're providing a resource to a data science team, or some kind of analytical product, that's going to make a real-time automated decision as to whether or not to flag something for manual review, to delay it, to allow it to go through, or whatever that may be.
If I actually upgrade my phone and forget my passwords, and you blocked me for a week because I swapped my SIM card, that's going to really frustrate me. At the same time, if someone steals my SIM card and you don't block them, and they steal all my money, I'm going to be really upset. There's this balancing act. We're not necessarily in the business of telling customers what to do, but we're trying to enrich what it is that they can do with their end users.
If there’s a device change, there's a lot of different signals we can aggregate into some kind of prediction or estimate of whether or not this is legitimate behavior. These things are all intended to go into the customers’ model or their algorithm for making a decision as to how to deal with the proposed action.
Bolstering defense
TeleSign harnesses machine learning to provide risk scores that evaluate the legitimacy of a SIM swap, helping inform any next-step precautions.
Pepin: We build customized models of our products that target the specific fraud customers see on their platforms. That would be based on different attributes, like IP addresses, e-mail addresses or specific places. We make sure customers have custom-tailored solutions in terms of the relevance of machine learning.
Patel: We combined two-factor authentication with risk scoring services. Let's say our customers send out SMS verification through us in order to verify if the user has the phone number at a given point of time. Along with sending the SMS, we also want to verify if that user owning that particular phone number has not changed a similar device recently. Using all the data, we can predict if this is a potential SIM swap fraud or not.
Embree: We generate those scores based on supervised machine learning. We get labels from existing customers that know what fraud is and what it looks like, and are able to label it in an automated or pseudo-automated way. We have insight and visibility into multiple cases of fraud that we can train these big supervised machine learning models on, and then scale those insights and those predictions to products that we can deliver to smaller customers.
An ‘iterative model’
As attackers employ new SIM swap tactics, teammates must innovate to keep up.
Pepin: It’s always something new and different. Combating what new attack or attack vector will pop up, on our side and our customers’ side, is what keeps the job interesting.
Ravish: Fraudsters are always on the move to identify newer gaps. For us, it’s always an iterative model, where we have two-factor authentication and our scoring solutions. We constantly iterate and evolve those solutions based on new insights.
Embree: Human fraudsters are not just humans — they’re writing code, building their own things to automate fake account creation, or whatever it is that they’re doing. It’s kind of an arms race that we’re trying to stay out in front of.
