Telecom body calls for SSI adoption to cut SIM swap attacks

Self-sovereign identity (SSI) has long been an aspiration for many people working on digital identity and access to online services. Now various sectors are becoming convinced of the potential SSI holds to help them solve some of the major problems of specific industries, and the telecommunications industry is the latest example.

The Alliance for Telecommunications Industry Solutions (ATIS) is suggesting that telecoms consider adopting SSI as a means of combatting SIM swap fraud.

A 25-page report on the topic from ATIS argues that “SSI not only addresses the core vulnerabilities of current identity verification systems, but it also gives users cryptographic proof of their identity and ownership of their telephone numbers. By shifting the paradigm from centralized to user-centric, decentralized management, SSI stands as a pillar of resilience against the growing tide of telecom-related fraud.”

ATIS summarizes what SIM swaps are and their titanic costs: the FBI reports $72 million in losses each year to individuals and businesses in the U.S., while Canada’s telecom regulator counted more than 24,000 unauthorized number ports and SIM swaps from August of 2019 to May of 2020.

SIM swaps rely on the personal details of the victim being known to the attacker, usually through phishing or the sale of breached personally identifiable information on the dark web. The attacker phones the telecom operator to request a phone number transfer, and then defeats two-factor authentication based on device possession or one-time passwords.

SSI is summarized, and its treatment in eIDAS and by GLEIF reviewed.

The section on applying SSI to stop SIM swap fraud describes the use of a digital wallet on the consumer’s mobile device to store verifiable credentials. This improves security by enhancing subscribers’ control over their phone numbers, but also reduces carriers’ reliance on more traditional and vulnerable forms of identity verification and authorization.

“Furthermore, the implementation of SSI extends beyond the issuance of telecom-specific identities,” the report states. “Leveraging existing digital identity credentials, such as government-issued IDs or the newly introduced digital versions of mobile Driving Licenses (mDL) compliant with ISO 18013-5 specifications, which are currently undergoing deployment across various U.S. states, can significantly enhance a carrier’s onboarding and vetting processes.”

ATIS sets out several attack scenarios, and how SSI would help mitigate them, and provides advice on how the industry can realize these benefits.

Stronger stakeholder collaboration is needed, ATIS says, and telecoms should be prepared for both more testing, and then challenges arising during implementation.

The NFID Foundation, officially launched this week, is focused on bringing the benefit of SSI to physical access control.

Strengthening mobile-based authentication in the meanwhile

If telecoms are to adopt SSI, it will take time. The phishing and SIM-based attacks referred to in the ATIS report will continue to plague mobile security in the meantime.

Telesign has launched a new omnichannel verification API to provide alternatives to SMS authentication. SMS authentication costs are fluctuating, according to the announcement, and the API provides built-in protection against the vulnerabilities of this method while avoiding them.

The Verify API bundles communication via seven channels, including SMS, push, email and WhatsApp, to allow businesses to add new authentication channels with minimal resources.

“One thing that phishing attempts, social engineering schemes, and account takeovers have in common is that they can often be stopped at the ‘front door’ with powerful customer authentication technologies,” says Telesign CEO Christophe Van de Weyer.

Article Topics

ATIS  |  biometrics  |  fraud prevention  |  self-sovereign identity  |  SIM swap  |  telecom  |  TeleSign