Three UK takes on SIM-swappers with CallSign deal

• Operator to takes extra measures to verify customers' identity
• Sector expected to spend $6bn on security solutions this year
• In cat-and-mouse game of cybersecurity, CSPs are the mice

Three UK has ramped up efforts to thwart fraudsters and protect customers by partnering with authentication specialist CallSign.

CallSign builds a profile of an end user that incorporates information like their handset model, approximate location, and typical behaviour. The information can be provided to banks to use as another means of authenticating a customer's identity. If someone phones the bank posing as a Three customer, that bank is much better equipped to detect when something fishy – or phishy, if you like – is going on.

The telecoms industry is one of the biggest spenders when it comes to security. IDC expects telco spending on security-related hardware, software and services to top $6 billion this year, and grow at a CAGR of 11.8 percent between 2018 and 2022.

Authentication is a major issue for mobile operators and online service providers, because the latter has been encouraging people to use their phone number as a means of verifying their identity. This is naïve for many reasons, the obvious one being that phone numbers can be recycled without the bank/social media company/email provider/e-commerce Website's knowledge.

Phone numbers can also be obtained fraudulently via SIM-swap attacks. Once a ne'er-do-well has control of a phone number they can attempt to authenticate with the bank, or Instagram etc. by getting it to send an SMS verification code to their illicitly-gained number. This could grant them access to the victim's various online accounts, then all they have to do is change the passwords.

Aspiring SIM-swappers can use phishing emails or phone calls as a means to dupe customers into disclosing enough personal information for them to contact the victim's operator and order a new SIM. In the past they have also bribed telco employees to do their dirty work, transferring a customer's phone number to a new SIM, then transferring it back again once the attacker is finished with it.

Three UK dodged a bullet a few years ago when it emerged that criminals gained unauthorised access to customer information. They used it in an attempt to fraudulently obtain new handsets, rather than steal phone numbers, but it doubtless came as a nasty surprise to the operator.

Telcos that want to make the leap from CSP to DSP – that's digital service provider – in all likelihood don't want to abdicate responsibility for their customers' identity, which is why partnerships like those announced by Three and CallSign this week are significant.

It won't stop criminals from trying to steal customer data though, it will merely divert their efforts towards another attack vector, and this is the point that is worth remembering when companies make pronouncements about stopping fraud in its tracks.

In the cat-and-mouse game of cybersecurity, the companies are the mice, constantly trying to fend off whatever crafty attempt the attacker might make next. They aren't the ones hunting down the criminals, they're the ones trying to stay one step ahead of them. Sometimes, as evidenced by all the high-profile data breaches we've seen in recent years, they are caught.