Fraud manager urges tech developers to secure mobile wallets against SIM-swap scams

Dane Nicholson, manager of special investigations in the Fraud Prevention Unit at National Commercial Bank Jamaica, NCB, wants financial institutions to pay greater attention to security features during the development of mobile wallets amid a rise in fraudulent cases via SIM card swaps.

The mobile wallet market, which is still in its embryonic stage in Jamaica, is heavily marketed around the convenience and time-saving benefits consumers could gain from switching out plastic cards or cash for an application that stores payment card information on a mobile device.

NCB is the only bank with a wallet on the market that can facilitate facilitate transactions using Jamaica’s digital currency Jam-Dex, among other usages, but another three banks – First Global, JMMB Bank and JN Bank – have said they will be coming to market with their digital wallets by mid-2023.

NCB’s Lynk has little over 100,000 users, who can conduct peer-to-peer transfers; conduct digital payments with over 2,000 merchants predominantly in the food and beverage, fashion, and consumer goods categories; as well as top-up their mobile devices with credit on local telecoms networks.

The innovation has considerable potential to change how consumers make purchases and enhance their shopping experiences, but it comes with its own risks, one of the biggest worries being SIM swap – also known as SIMjacking – a form of identity theft where a criminal steals your mobile phone number by assigning it to a new SIM card.

Fraudsters looking to carry out targeted financial crimes can then insert the new SIM into a different phone to access an individual’s accounts and do real damage.

Nicholson, who issued the warning Thursday during the annual Jamaica Bankers Association/Jamaica Institute of Financial Service anti-fraud seminar in Kingston, said for those preparing to launch wallets, there are options they can explore to safeguard against fraud while addressing the topic ‘SIM-swapping, Social Media Phishing and Account Rental – Your Defence’.

“Financial institutions must put in place compensating cybersecurity controls for mobile wallets rather than just a two-factor authentication where you just text the customer a code in order to gain access to the wallet,” Nicholson told the Financial Gleaner.

“They have to use some biometric or device binding id application, so even if there is a SIM swap there are other control measures in place,” he said.

For example, he said that if a fraudster gains access to a customer’s SIM card, added security features such as International Mobile Equipment Identity code, IMEI, video validation or some other unique variable would deny fraudsters access to accounts on the mobile wallet. IMEI is a 15 to 17-digit code that is given to every mobile phone. This number is used by service providers to uniquely identify valid devices.

“The idea is to use verification options that are not available externally or within the company, it would have to come from the customer themselves,” he said.

Over the past 18 months, cyberscammers have stolen nearly $100 million from more than two dozen bank accounts. Two of the SIM-swap cases were considered significant, involving a total of $61 million and US$133,000, the Financial Investigations Division has said.

Internationally, the haul from SIM-swap scamming was estimated at US$68 million in 2021.

While Nicholson urged the financial institutions to put up guardrails, he said some of the responsibility rests with the telecommunication companies as well as customers who sometimes overshare personal information on social media platforms.

“There is one other control that we can do and that’s on telecommunication providers to tighten know-your-customer requirements as well as to strengthen their relationship with government agencies such as the tax authority of Jamaica to improve verification processes,” he said.

He added that the introduction of encrypted codes to complete the SIM replacement process would be a deterrent to fraud.

“It goes without saying that the code must be encrypted and not be available to internal staff, only to the customer,” he added.

Telecommunications provider Flow Jamaica in response to concerns about gaps in the SIM replacement process last month said the company has implemented “robust policies and processes” to protect customers, including mandatory photo/visual identification verification for SIM card replacement.

Director of Communications Kayon Mitchell also said the telecoms processes include a system check and verification of customer data and a test call to the number for which the replacement card is requested.

“In an effort to fight fraud nationally, we have partnerships with various institutions and entities and collaborate where possible. We also continually review and update our processes to manage the threats,” Flow said at the time.

karena.bennett@gleanerjm.com