Icon February 24, 2022

No Measures to Prevent Fraud Can Result in Fines

By Douwe Korff (Prof.)  ValidSoft Data Protection Officer and Adviser 

SMS-based authentication solutions pose serious risks to mobile network operators and financial services institutions.  

All kinds of enterprises, from large banks to digital service providers still rely on SMS messages containing one-time passcodes (OTPs), to secure services. Due to the inherent weaknesses in global mobile telecommunications infrastructure, as well as the ease with which fraudsters can compromise mobile communications accounts, this is no longer secure or good enough.

In a recent case, the Spanish data protection authority, the AEPD, imposed a €4 million fine on the Spanish subsidiary of a major mobile network operator (MNO) for not preventing unauthorised SIM Swaps that resulted in fraud:

The perpetrators obtained a replica of the data subjects’ SIM cards through the telco, which could not verify the identity of the persons requesting them. The perpetrators used the SIM cards to carry out bank transfers from the data subjects’ online banking services (which verify their users’ identity via phone) and to transfer and spend money in other ways.

The AEPD held that:

The MNO did not act with enough diligence to prevent the circumvention of their security measures against identity theft. The AEPD stated that the MNO should have known the risk, which has a strong impact on data subjects’ rights and freedoms, and should have acted accordingly. According to the AEPD, the measures were obviously insufficient and inadequate since a significant number of other similar cases had occurred, and not just the nine cases reported to the authority.

The data protection supervisory authorities in other EU Member States are likely to take the same view, and this security risk clearly affects all mobile network operators, including the largest ones.

This clearly puts all European e-communication services providers on notice to address the serious issue of fraud resulting from SIM Swaps.

In other words, if the mobile networks can (justifiably) be criticized for allowing victims’ mobile accounts to be ported to fraudsters too easily, then the financial institutions should not allow such services to underpin the security of their customers’ financial services (bank) accounts. Indeed, the Payment Services Directive II (PSD2) is explicit that SMS-based authentication is insufficient for this very reason.

To paraphrase the data protection ruling, in the same vein:

Any Bank must act with enough diligence to prevent the circumvention of their security measures against identity theft. Any bank will have known the risk, which has a strong impact on data subjects’ rights and freedoms, and should have acted accordingly. If a significant number of such cases occur, the measures taken are obviously insufficient and not adequate.

In sum: No company that holds precious data on its customers should ever rely on authentication based only on SMS text messages to customer phones. In Fact, PSD2 does allow for SMS to be a possession factor but not a knowledge factor – i.e., if there exists a separate knowledge or inherence factor, then SMS as the possession factor is compliant.

Failure to recognize this additional factor would mean that banks are now likely to be faced with serious fines – and these data protection security violations are also likely to be considered in relation to civil claims from customers.

ValidSoft offers complete reassurance against such risks (to banks, mobile network operators, and – most importantly – to their customers).

Our proven, precise voice biometric authentication solution verifies users’ real identities by creating distinctive voiceprints superior to other types of biometric authentication that can be spoofed or intercepted.

“Voice is mathematically superior and a unique human identifier to deliver immediate Identity Assurance of the customer.

Visit www.validsoft.com or schedule a personal demo to find out for yourself.