Telstra will share information about its mobile services with Australian banks in an effort to reduce identity theft by clamping down on ‘SIM swapping’ attacks that have seen billions drained from victims’ bank accounts and cryptocurrency wallets.

In a SIM swapping attack, a criminal actor uses personal details to convince their mobile carrier to transfer a victim’s mobile number to a new SIM card – something that would normally be done if a phone were lost or a SIM card damaged.

By inserting the new card into their own phone, the criminal can send and receive messages on the victim’s behalf – a capability that then allows them to bypass the authentication processes of email, banking, and other services.

Telstra’s new service will see the telco sharing details about its customers’ mobile services with banks, which will check with Telstra when a customer registers a mobile number as their contact.

A numeric risk rating will let the bank know whether there have been any recent changes to the service, allowing them to investigate further, rather than blindly assuming the person on the other end is in fact their customer.

The risk ratings are only advisory and won’t stop customers from completing transactions.

“Not all SIM swaps or porting activities are indicators of crime,” Michael Ackland, group executive for consumer and small business with Telstra, said in introducing the new service.

‘That’s why the role we’re playing is to provide more information to help other organisations piece together the puzzle…. It simply indicates to the bank or other organisation to obtain more information before proceeding.”

Telstra will initially focus on the banking sector, but the scheme may also be applied to retail, insurance, transport and logistics, social networking, and online gaming.

Keys to the kingdom

Unlike ransomware or other malware attacks, SIM swapping happens with no involvement by victims that often only find about the attack when they log on to check their account balance and find it has been cleaned out.

That has made it a thorn in the side of a digital world where online services are increasingly protected by two-factor authentication (2FA) built on the assumption that the legitimate customer is the only one with access to their mobile number.

Such systems send users a numeric passcode to confirm their authenticity when resetting their password, changing account details, or initiating a transaction.

Use of 2FA by cryptocurrency exchanges has made them particularly prominent targets for SIM-swapping criminals, who are regularly changing account details and emptying the accounts of unwitting targets.

In November, for example, US authorities indicted a man for stealing over $733,000 ($US530,000) worth of cryptocurrency from 10 victims while Canadian authorities arrested a teenager who stole around $50m (CAD 46m) with SIM swapping.

Another victim – an angel investor from whom criminals took 100 bitcoin, worth around $1m in 2019 and $5.8m today – is pursuing legal channels over systemic failures that enabled a teenager on the other side of the US to take over his mobile phone service.

Employees of mobile-phone stores are also being implicated, either for abusing their access to customer records or for taking bribes from cybercriminals paying them to facilitate the switches.

Australians reported $10.1m in losses to identity theft during 2021 – more than triple the 2020 figure, according to figures from the ACCC’s ScamWatch service that represent just a fraction of the losses from a crime that has long had telecommunications experts pushing telcos for stronger methods of verifying customer identities.

The Telecommunications Industry Ombudsman (TIO) has published guidance for telcos that it expects must “take proper care in swapping a SIM”.

The new risk-rating service is the latest in a series of measures Telstra has implemented to clamp down on fraud as part of its Cleaner Pipes initiative, which the company says has blocked over 100m scam calls and is blocking “millions and millions” more calls every day.

“When you sign up with Telstra,” Ackland said, “we believe we have a duty of care to keep you safe from threats that come in from outside the network.”

“While we will never prevent every scam or cybercrime, our aim is to prevent as many as possible by making it as hard as possible for scammers to succeed.”