Telecommunications regulator ACMA has targeted “particularly egregious” SIM-swapping attacks with new policies that will force telcos to improve their methods for verifying customer identification before transferring their service to a new mobile number.

The new Telecommunications Service Provider (Customer Identity Authentication) determination, which will come into effect from 30 June, will require telcos conducting “high-risk customer interactions” to apply stricter procedures for verifying not only the identity of the person requesting services such as a new SIM, but also verifying that they are in possession of the device it relates to.

As well as requesting two forms of account or personal information, staff at telco stores will be required to call the number and confirm that it rings on the phone of the person standing in front of them.

Call-centre staff will have to call back the number on the customer’s account to confirm they are making the request, while online enquiries will be verified by sending a “unique verification code or hyperlink” to the listed service and confirming that the customer has received them.

The crackdown comes as ACMA works to clamp down on SIM-swapping attacks in which cybercriminals emulate a legitimate mobile user, instructing the telco to transfer the victim’s mobile service to a SIM card that they control.

Criminals then log onto a banking, cryptocurrency, or other account and request a password change – causing the site to text a confirmation code to what it assumes is the customer’s mobile.

SIM-swapping cybercriminals have proved adept at assuming their victims’ identities to order goods, steal cryptocurrency, raid bank accounts, and more.

Victims often only become aware when their mobile phone service stops working – when they have no coverage and ‘SOS only’ appears on the phone – or when they log onto banking or cryptocurrency accounts to find they have been cleaned out, with average losses of more than $10,000 per incident.

“Scammers are forever finding new ways to steal personal details and rip people off. SIM-swap fraud is particularly egregious as it leads to identity theft and significant financial losses,” said Fiona Cameron, chair of the ACMA’s Scam Taskforce, in announcing the new policies.

“We expect these rules will go a long way to stamping out unauthorised transactions like SIM-swap fraud, and improve safeguards for telco customers.”

In February, Spanish police arrested eight criminals for tricking employees of mobile phone stores into providing duplicate SIM cards that let them bypass the security on victims’ Internet banking accounts.

The US FBI’s Internet Crime Complaint Center (IC3) has blamed the practice for $90m in reported losses, from 1,611 reported incidents, last year alone.

Getting telcos onboard

The speed of SIM-swapping attacks, which are often completed within a few hours, has made the involvement of telcos crucial – but existing identification processes have been flagged as being grossly inadequate.

In the past, customers could call their mobile provider and request a replacement SIM card, or redirect their phone number to a new SIM card, simply by providing their name, address, phone number, and date of birth – all easily sourced online by determined cybercriminals.

Previous verification processes were so lax that ACMA last year formally warned Telstra, Optus, and Medeon Mobile for failing to adequately identify customers on 106 occasions.

“Historically it has been too easy to transfer phone numbers from one telco to another,” ACMA chair Nerida O’Loughlin said at the time, noting that the agency’s recent crackdowns on customer verification – including the introduction of the Telecommunications (Mobile Number Porting Additional Identity Verification) Industry Standard 2020 – have reduced reports of fraudulent porting by more than 90 per cent.

Earlier this year, Telstra went a step further by collaborating with Australian banks, which will request a numeric risk rating from the telco – reflecting any recent SIM swaps or other potentially problematic changes to the service – when a bank customer requests a change of contact number.

Telstra has also encouraged customers to interact with its services using its MyTelstra app, a direct channel into the telco that allows customers to identify themselves using biometrics or a dedicated PIN.