Following a number of cases reported on the news, the NMHH reviewed the SIM card replacement practices of service providers this spring. This was because there were cases of fraudulent abuse that caused great financial damage, based on access to the victims' bank confirmation SMSs. To do this, the fraudsters first obtained the victims' personal and bank details, then used an authorisation with two witnesses to initiate a SIM card replacement with the service provider, claiming that the card they had been using had been lost or was no longer usable. Since the old SIM card was deactivated almost immediately, the criminals could misuse the SMS codes on the new card to carry out bank transactions, albeit for a short period of time, but still causing up to tens of millions of forints in damage.
The service providers, in cooperation with the infocommunications authority, tightened their processes in several steps, so that by the end of the audit the chances of fraud were significantly reduced. As of this autumn, SIM replacement for all three service providers will be possible through a procedure carried out by the residential subscribers in person. The NMHH also requested a full risk analysis from service providers to identify weaknesses in their processes and to assign protective measures thereto.
What specific solutions do service providers use to prevent fraud?
Telenor only accepts the authorisation of a person acting on behalf of the subscriber after verifying that the original SIM card is not working or is locked, as these are the reasons for a card replacement. In addition, it also delays the activation of the SIM card, while sending an SMS informing the subscriber of the need for a replacement, giving the potentially defrauded subscriber at least three hours to intervene and report the abuse to the service provider. For business subscribers, the company has introduced a one-off code linked to the number for card replacement purposes, which the official contact must request from the service provider before the replacement. A SIM card replacement procedure may only be carried out through a notarised authorisation and the code.
At Vodafone, an authorised representative can only take action on such matters if they present the SIM card to be replaced. In such cases, a courier will deliver the new card to the subscriber, or they will be called to confirm that they requested a replacement by entering the security code. For both residential and business subscribers, authorizations and original documents will be accepted only if certified by a lawyer or notary public.
In the case of residential subscribers, it is not possible to use an authorised representative at all with Telekom. For residential and business subscribers, the procedure involves checking the SIM card by calling its number. The company also plans to introduce additional security measures.
Consumer vigilance is important
The NMHH will continuously monitor whether the measures are effective in reducing this type of abuse. It is important to underline that these incidents were not due to any negligence on the part of the service providers. Users themselves are responsible for the protection of their own data and for handling it with care and caution. Therefore, the Authority reminds consumers to be always vigilant, to make informed use of communications services and to ensure safe data management.