The Australian Media and Communications Authority (ACMA) revealed new industry rules on Friday that aim to protect consumers from SIM swap scams that have cost telco customers millions.
Under the new industry rules, stronger identity checks will be enforced including the use of government online verification services in line with the federal government’s Trusted Digital Identity Framework and the National Identity Proofing Guidelines, as well as multi-factor identification and biometric data.
The ACMA rules will ensure that such measures are taken when telcos engage in “high-risk transactions such as SIM-swap requests, changes to accounts or [the] disclosure of personal information.”
Over a nine-month period in 2021, ACMA reported that there were at least 510 accounts of reported fraud from scammers targeting customer authorisation processes, this amounted to losses of AU$4.68 million. The largest reported single loss totaled AU$463,782.
Chair of ACMA’s scam taskforce Fiona Cameron said the new rules, laid out under the Telecommunications Service Provider (Customer Identity Authentication) Determination) 2022 would come into effect as of June 30 this year.
“Scammers are forever finding new ways to steal personal details and rip people off. SIM-swap fraud is particularly egregious as it leads to identity theft and significant financial losses,” Cameron said.
“SIM-swap scams can cause a lot of harm as scammers take control of your phone number and then use that to gain access to your online banking accounts. We expect these rules will go a long way to stamping out unauthorised transactions like SIM-swap fraud and improve safeguards for telco customers.”
To enforce the new rules, ACMA will be granted the power to commence court proceedings against telcos who breach the outlined requirements.
Minister for Communications Paul Fletcher was adamant the new rules will protect consumers against further “harmful and costly” scams.
“The use of multi-factor authentication process is an effective tool in addressing fraud, because scammers might manage to steal one proof of identity such as your PIN, but they still need to obtain and use the other proofs of identity to access your account,” Fletcher said.
Earlier this year, Telstra said it was introducing a flag to note when a mobile number was recently ported, in an effort to make SIM swapping attacks harder and prevent one-time codes sent via SMS from being received by malicious actors.
“A recent SIM swap or port out on a user’s mobile number might indicate that the person who has access to that mobile service and is receiving one-time codes, might not actually be who they say they are,” Telstra consumer and small business group executive Michael Ackland said.
“When a request is made to us by a banking organisation we’ll provide a rating (in the form of a number on a risk scale) which gives an indication of whether there has been any recent SIM swaps or port out activity for the mobile service you’re using as a form of identity with that organisation.”
Telstra also noted at the time it was looking at using fraud-detection technology in retail, insurance, transport, social networking, and online gaming sectors.