Experts call for urgent tightening of SIM swap process
by Jumoke Akiyode
July 18, 2017 | 6:50 am| | | Start Conversation
…as fraudsters infiltrate customers’ mobile banking
Experts in the banking and financial sector have called on telecommunications operators to tighten their SIM swap processes, as fraudsters have recently infiltrated customer’s mobile banking.
This development is coming at a time when there has been an increase in the use of Unstructured Supplementary Service Data (USSD) codes and mobile application banking by customers, thereby making it easier for the criminals to attack the finances of unsuspecting customers.
The banks have revealed after investigations made that customers’ SIMs are being swapped by telcos without necessarily conducting biometric and identification checks.
“The bank is not involved with anything that has to do with changing SIMS, the phone number of a customer cannot be changed in any bank without the customer following due process, which is walking into a bank branch, filling the appropriate form and submitting a valid identification card, so if a customer has stopped using the number registered with the bank and the telecoms operator issues that same number to someone else, the person can gain access to the account using USSD codes and mobile banking,” Yemi Atanda, Head of E-banking, GTBank, told BusinessDay in a telephone interview.
BusinessDay finds that mobile apps released by banks and USSD, as well as mCash released by Nigeria Inter-Bank Settlement System (NIBBS) has further fueled the growth of cashless interbank transactions which grew by 200 percent between January and December 2016.
With the commencement of cashless policy in Lagos in 2012 many Nigerians have adopted the method of making online, mobile or point of sales terminal (PoS) payments with their debit cards. However, a significant number of Nigerians still doubt the security of digital banking services in the country.
Telecommunications operators have however denied the accusation of careless SIM swaps, saying that the security of any individual or corporate account lies in the hands of the banks which are regulated by the Central Bank of Nigeria (CBN) and that there is a maximum transfer limit allowed through the use of mobile phones.
“The SIM swap process can only be done by the individual who claims to have lost his/her SIM or phone. When the customer appears in the service outlet, proper ID validation from the SIM registration database would be administered and the customer would also have to answer certain security questions before being issued a replacement SIM,” a BusinessDay source said.
Olusola Teniola, President, Association of Telecommunications Companies of Nigeria (ATCON) says that the mobile application to mobile banking server communication session is the responsibility of the bank and not the telco, as the activity in between the mobile app and the banking system is not under the control of the telecom company.
“This is a bank-led mobile payment scheme that is regulated by the CBN and therefore not under the Nigerian Communications Act (NCA 2003). Any loss involving USSD, SMS, Mobile application interacting with banking systems are the responsibility of the banking sector, irrespective of the underlying medium used to carry the bits and bytes that represent the data and control functions of the application,” Teniola Told BusinessDay.
However, Teniola confirmed that that there is no API available for banks and other Fintech companies to check the last time a SIM was changed, as the initialisation session of the mobile application may not have access to the SIM ORDER database mostly propriety to the mobile network operator.
On what the payment systems are doing to ensure maximum security on digital transactions, Godbless Uhunamure, Product Manager, NIBBS told BusinessDay that NIBBS is currently working with the telcos to further secure mobile payment systems.
“What we are doing now is that apart from the telephone number which can be given to someone else after the telephone line has been dormant for a very long time, we are ensuring that the IMEI number is also a factor to determine transaction success or failure.
With the new M-cash solution, the telco will be able to send a notice to the bank that will block the mobile transaction if the IMEI number does not match that of the initial phone number registered,” Uhunamure said.
The banks have also held sensitisation programs, urging customers to frequently update submitted data and notify their banks on change of phone numbers, addresses and names.
Big Read |