Food-writer and campaigner, Jack Monroe, has become the latest high-profile victim of a SIM-swap scam, losing over £5,000 from both her PayPal and bank accounts to a criminal who intercepted SMS authentication codes. The Payment Services Directive requires that fraud victims get their money back, but banks act slowly and sometimes push the blame onto the victims. When (as I hope it will) the money does eventually get reimbursed, she’s still unlikely to get compensation for any consequential losses, nor for the upset caused. It’s no surprise that this experience has been stressful for Jack, as it would be for most people in her situation.
I am, of course, very sympathetic to victims of SIM-swap fraud and recognise the substantial financial costs, as well as the sense of violation that results. Naturally, fingers are being pointed at the phone companies and followed up with calls for them to do better identity checks before transferring a phone number to a new SIM card. I think this isn’t entirely fair. The real problem is that banks and other payment service providers have outsourced authentication to phone companies, without ensuring that the level of security is appropriate for the sums of money at risk. Banks could have chosen to distribute authentication devices and find a secure way to re-issue ones that are lost. Instead, they have pushed this task to unwitting phone companies, and leave their customers to pick up the pieces when things go wrong, so don’t have an incentive to do better.
More secure SMS authentication
But what if phone companies did do a better job at handing out replacement SIM cards? Maybe the government could push them into doing so, or the phone companies might just get fed up with the bad press. Phone companies could, in principle, set up a process for re-issuing SIM cards which would meet the highest standards of the banking industry. Let’s put aside the issue that SMS was never designed to be secure, and that these processes would put up the cost of phone bills – would it fix the problem? I would argue that it does not. Processes good enough for banking authentication could lock people out of receiving phone calls, and disproportionately harm the most vulnerable members of society.
Making phone calls is a different task from payment system authentication, and they should be separate systems. I think one of the most important reasons is that the two activities have different requirements for the speed of replacing a lost device. This characteristic is critical for ensuring that re-issuing processes are secure enough.
Replacing banking authentication devices is quite slow. Sometimes you need to wait for a letter, and sometimes you need to go into a branch. The delay is tedious but is vital for security. The time between the process starting and the new device being active gives an impending fraud victim more opportunity to spot a scam in progress before money has been taken. Having a slow re-issuing process is tolerable because there are usually other ways customers can do transactions while waiting.
In contrast, any delay in recovering access to a phone number can be costly. A study by SimplySecure found that the gig economy means customers who miss a phone call risk losing out on a shift, and possibly being tarred as unreliable and so be passed over for future work. Losing a phone would already put a strain on many people’s finances. Waiting days for a replacement SIM to be active, missing phone calls, all while phone credit is locked up, could easily be the trigger for a cycle of financial difficulties. There’s a clear need for a quick and easy process to re-issue a SIM card. There would still be a risk of SIM-swap attacks, but if we move payment authentication away from SMS, the value to criminals of phone number is no longer as high, other than call credit which the phone company should reimburse.
Separating authentication and phone calls allows their different security requirements to guide the design of appropriate processes for recovering from lost devices. SMS-based authentication codes force two distinct activities to share infrastructure, leading to trade-offs which are inadequate for either. That’s not to say that SIM cards cannot play a part in a better solution, as long as the authentication application was separate from the phone number. Customers could receive phone calls on a re-issued SIM before the authentication application had keys loaded following enhanced security checks. Banks and financial institutions can make the choice of authentication technology they think is appropriate, but they must accept the responsibility for their decision and not pass costs onto the victims of fraud.