Bloomberg has an excellent article about the risk of SIM swapping. In short:
Based on court cases against convicted scammers, a typical scheme goes like this: a gang of SIM swappers will bribe low-paid telecom employees with thousands of dollars to give them control of a target’s phone number. With that phone number, the thieves can reset a victim’s passwords to seize their email inbox, social media profiles or their cryptocurrency wallets.
From there, the intruders try to steal as much money as possible before they lose access to the number.
The case illustrates a key factor in the success of SIM swaps: that phone company insiders are often crucial parts of the scam.A $68 Million Scam That Relies on Telecom Insiders
In a modern, remote, electronic world where online verification is an essential part of our life, this remains a significant security weak link in many people’s lives.
In recent years, I’ve raised this issue directly with a Manx telecommunications provider, and when they belatedly bothered to respond, their responses were incredibly underwhelming.
It would be a pleasant change for Manx Telecom and Sure and other Manx telecommunications providers to proactively demonstrate that they have substantially mitigated this risk. This is what a serious community which was building a trusted and future-looking economy based on electronic access would demand of telecommunications operators.
Operators could prove their security by describing their processes, because we know that security through obscurity is no security at all. An adult legislature, or a serious media ecosystem, would look at risks such as SIM swapping, and demand answers from telecommunications providers on what they were doing to mitigate these risks. If the clowns in the Department for Enterprise were serious about attracting modern fintech business to the Isle of Man, they would proudly demonstrate that they held telecommunications providers to high standards – such as by expecting guarantees from such providers that they are safe.
Skin in the game
Currently, a security failure by Manx Telecom or Sure in this area appears likely to have a risk of causing significant harm to the end user – the victim of such theft. This is the opposite of our financial system. If a credit/debit card is stolen, the end user is not held liable for any such frauds and thefts if they have behaved reasonably. As a result, banks and merchants are very well incentivised to mitigate the risk of frauds and thefts.
But in the context of SIM swapping attacks, it seems unlikely that a Manx telecommunications provider would be held liable for the harm caused by their own security weaknesses. We could fix this by holding Manx telecommunications providers liable: and I suspect that we would see dramatic improvements very quickly!
In the meantime, the security and safety of the people and businesses of the Isle of Man remains at risk.
P.S. IF any Manx telecommunications provider wants to demonstrate their robust strength against SIM swapping attacks, they should do so!