[LINK] Australia Considers New Rules to Prevent SIM Swaps

Kim Holburn kim at holburn.net
Tue Dec 14 11:09:23 AEDT 2021 

https://commsrisk.com/australia-considers-new-rules-to-prevent-sim-swaps/


> The Australian Communications and Media Authority (ACMA) has proposed new rules that would force telcos to implement tougher 
> checks of a customer’s identity before completing ‘high risk’ interactions such as issuing replacement SIM cards.
>
>     Unfortunately, there is clear evidence that scammers continue to target SIM swap processes, with some data sources indicating
>     ongoing harms have increased. ACMA analysis shows that between January and May this year, more than 80% of mobile number fraud
>     resulted from unauthorised SIM swaps.
>
>     We have data from government agencies, telecommunications providers and other bodies that provide a strong indication of about
>     /(sic)/ ongoing realised harm. We estimate the average loss per mobile number fraud to be $28,715 [USD20,870] and we are aware
>     consumers are likely to under-report fraud to authorities due to embarrassment and reputational issues.
>
> SIM swaps are the main current motivation for increased controls but the ACMA wants rules that anticipate the way fraudsters adapt 
> their methods.
>
>     There is also emerging evidence that scammers are targeting other telecommunications customer interactions. For example,
>     scammers have used personal information to facilitate other types of fraud, such as ‘purchasing’ expensive handsets on a
>     customer’s account or gaining full access to customer accounts and payment details. This suggests that if fraud from
>     unauthorised SIM swap is prevented via new obligations, scammers will quickly pivot to target other points of weaknesses.
>
> The ACMA wants multi-factor authentication (MFA) of “all customer interactions at high risk of fraud”. Their proposals outline 
> three examples of MFA.
>
>   * Manual/visual comparison of a person’s face against a photograph on a primary piece of evidence
>   * Verification of a biometric template collected at registration against a biometric template held by an authoritative source
>   * Knowledge-based authentication
>
> Some Australian telcos are already using MFA to reduce fraud.
>
>     In taking this step, we note that some providers have already introduced multi-factor identity verification arrangements, or
>     are in the process of doing so, under guidance material developed by Comms Alliance. It is demonstrable that providers that
>     have already implemented these processes are experiencing significantly less fraud involving their customers.
>
> The ACMA would normally allow telcos to succeed with their voluntary efforts before imposing new obligations, but this time they 
> want regulations to be in place so they can take enforcement action against any laggards. They also want the freedom to quickly 
> extend these rules whenever new fraud risks become apparent.
>
> It seems unlikely that Australian telcos will raise objections, though some may want more detailed rules from the ACMA. The 
> current proposal is vague in several areas. For example, there is no exhaustive list of situations that require MFA. It is clear 
> what is required when asking a member of staff to compare photo ID to somebody’s actual face, but the standard for knowledge-based 
> authentication could vary greatly. Questions might be as tough as reading out a code from an authenticator app or as trivial as 
> asking the maiden name of the customer’s mother.
>
> The deadline for responses to the ACMA consultation is December 15. You can read the ACMA’s proposal here 
> <https://www.acma.gov.au/consultations/2021-11/proposal-make-telecommunications-service-provider-customer-identity-verification-determination-2021-consultation-392021?utm_medium=email&utm_campaign=ACMA%20consults%20on%20new%20telco%20rules%20to%20prevent%20identity%20theft&utm_content=ACMA%20consults%20on%20new%20telco%20rules%20to%20prevent%20identity%20theft+CID_71a7ce49ad7c9069c645cb2db8b97782&utm_source=SendEmailCampaigns&utm_term=making%20new%20rules>.
>

-- 
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:kim at holburn.net   aim://kimholburn
skype://kholburn  - PGP Public Key on request

More information about the Link mailing list