Two recent news stories on the same day, from events in the US and UK, both totally disparate with nothing seemingly in common, have me thinking that perhaps there is a common technology angle to both events.
One, the result of using inappropriate technology altogether and the other, using the appropriate technology but not with the appropriate privacy measures.
SIM Swap Fraud
The first case, emanating from the US Department of Justice, relates to the alleged theft of almost $2.5m of cryptocurrencies using SIM Swap fraud to gain control of the cryptocurrency accounts and bypassing 2-factor authentication security controls. The SIM Swaps allegedly involved bribery of mobile network employees, although it has been shown repeatedly that social engineering and impersonation works equally well.
SIM Swap fraud is the illicit transference of a person’s mobile phone number, by a third-party, to a SIM under the control of that third-party. That third-party now receives all calls and texts to that number, as well as displaying that number when ringing others. It is the virtual theft of the target’s mobile phone.
US Attorney General Matthew Schneider stated of the case, “Mobile phones today are not only a means of communication but also of identification”. And herein lies the problem. SIM Swap fraud, whilst perhaps not previously having been used in cryptocurrency theft, has been a fraud vector against Internet banking, text and phone-based 2-factor authentication for years in a number of countries around the globe.
It is a major problem in the UK, for instance. But it’s far from the only problem with relying on a mobile phone number for a security solution. The global mobile network signalling protocol, SS7, was itself hacked earlier this year, resulting in losses for a UK bank that also relied on SMS messages carrying Internet banking authorisation codes.
The SS7 vulnerability has long been known within the telecoms industry but would appear to now be within the realm of cyber criminals. Following this, Facebook has disclosed that it’s WhatsApp messaging app has been hacked, allowing hackers full access to a phone remotely, including the reading of messages and eavesdropping on calls.
What all of this means is that using a proxy, such as a text or call to a mobile phone number, as a means of identity assurance, can no longer be relied upon as secure. Proxies, including PINs and passwords, verify no more than knowledge or possession, i.e. someone knew that password or someone controlling that mobile number received that text or call. It does not in any way assert identity of the customer. If the number can be stolen, redirected, hacked or eavesdropped, it ceases to be a strong means of identity assurance.
The only way to assert actual identity of a person within an authentication solution is through inherence, for example using a biometric. Only biometrics authenticates the identity of the person as distinct to authenticating a proxy. Had voice biometrics been applied to those SIM Swapped calls, regardless of the employee collusion, the cryptocurrency theft would not have occurred.
Unlawful Biometric Voiceprints
Which leads to the second event, this one involving the UK’s tax agency, HMRC. HMRC is extremely well versed in fraud and its detection and prevention, given the significant value of welfare and VAT fraud in the UK. HMRC have also recognised that another form of proxy authentication commonly used in call-centres, Knowledge Based Authentication (KBA), is far too easily bypassed by fraudsters.
It correctly decided to implement a voice biometric authentication solution to replace KBA and improve not only the security, but also reduce the time taken to authenticate callers.
Unfortunately, in this case millions of enrolled users will have their biometric records deleted because consent was not obtained in accordance with the requirements of the General Data Protection Regulation (GDPR).
Whilst GDPR is a European regulation, almost every country has their own data protection and privacy regulations with regards to biometrics and particularly the consent required to store and use them. Whilst many of these regulations are similar, it is still essential to understand the requirements and best-practice of each individual country. Vendors undergoing data protection and privacy certification through independent certification bodies, such as EuroPriSe within the EU, also lend confidence to their clients that the solution will be implemented and used in a compliant fashion.
Whilst the end-client, as the data controller, is ultimately responsible for the correct application of data protection legislation, the onus needs to be on biometric vendors to understand the data protection requirements of the countries in which they operate and to advise their clients appropriately. They, after all, are the experts in the technology and that needs to extend to not only use-cases, but the applicable laws and legislation and best practices.
To summarise, the lesson from these seemingly disparate events and use-cases is that the correct technology in both instances is voice biometrics, but its implementation must take into account the data protection requirements that accompany biometrics globally
By John Petersen, SVP Asia Pacific at ValidSoft
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.