NPC makes telco take measures against SIM-swap fraud; public warned on identity theft

The National Privacy Commission (NPC) has caused Globe Telecom, Inc. to enforce more stringent subscriber verification protocols to better protect its customers following reports that one of its prepaid mobile customers fell victim to identity theft, made possible through the perpetrator that resulted in the unauthorized access to the customer’s online banking account.

In a move to bar cyber-thieves from exploiting mobile authentication as a backdoor for fraudulent transactions, the NPC took Globe to task for security gaps in its SIM replacement procedures.

“A SIM card in the hands of a cyber thief makes mobile authentication meaningless, as it becomes almost like a master key for committing all sorts of identity fraud. It leaves the victim’s personal data vulnerable to all sorts of misuse and abuse, including access to email and Facebook accounts, and unauthorized ATM and online bank withdrawals. As gatekeepers of mobile authentication, we are asking Telco providers to upgrade their security measures,” said Privacy Commissioner and Chairman Raymund Enriquez Liboro.

In a meeting between NPC Complaints and Investigation Chief Francis Acero and Globe representatives, the telco company has committed to enforce a 24-hour delay in the activation of newly-replaced SIM cards to subscribers who reported a lost or stolen phone, if the prepaid subscriber is unable to present the SIM bed or unable to provide proof of identification in case the prepaid subscriber is a GCash user. This is to enable prepaid subscribers who may be victims of a SIM swap scheme ample time to respond to SIM replacement text notifications to the purportedly lost phone numbers and allow the subscriber a chance to cancel a malicious request and deter a mobile identity theft in progress.

In processing SIM replacement requests, Globe said it shall require subscribers to present government-issued ID cards as identity credential or the original SIM bed as proof of ownership.

Acero said the telco should also be able to utilize its GCash facility as an identity authentication platform for prepaid subscribers who use the service. “Telco utilities that use their mobile platforms for digital cash, quasi-banking, and money remittance services have ‘Know Your Customer’ or ‘KYC’ obligations that extend to protecting these clients from those who may defraud them,” Acero said.

Prior to this measure, the only security measure Globe provided was to require the person requesting a replacement card for an affidavit attesting to the truth of the loss of the SIM card. Liboro noted this was ineffective in protecting this latest victim from identity fraud. “We hope to see all telco operators in the country enforcing stringent measures to protect the privacy interests of their subscribers not just against mobile identity thieves but against all sorts of mobile fraudsters. Fraudsters thrive by being one step ahead of the game. Their fertile criminal minds exploit gaps in processing systems to execute their plan. We can beat them to it with more proactive steps like this and reacting quickly to fraud,” he said.

SIM swapping refers to the modus operandi where fraudsters illegally obtain from a telco operator a replacement SIM card not belonging to them and then use the number for fraudulent activities.

To prevent from getting victimized by SIM swap schemers, Liboro also called on the public to stop oversharing personal information on social media as well as with people who they barely know.

“Personal identity thieves and fraudsters start their schemes by collecting as much data about you as possible. They could be stalking your Facebook account, sending you phishing emails, or posing as credit card agents asking very detailed personal information. The risk these people pose is very real: your name can carry real financial value. Once these people commit crimes in your name, it can be very difficult to recover. Let’s stop feeding these schemers. Don’t share personal details on social media; transact only with privacy-compliant business agents who will seek your consent before asking for any personal data,” Liboro added.

# # #