Telcos cracking down on sim card hijacking, again - why this time is different

Sim card fraud sees a scammer take over your mobile phone number - so you lose access to it while they use it to help gain access to your bank account. Photo / 123rf

Mobile phone companies are making another attempt to crack down on sim card fraud, otherwise known as sim-card hijacking, or sim swap attack.

It's where someone approaches Spark, Vodafone or 2degrees, pretending to be you. They say they want to switch providers, then take over your mobile phone number, which they then use to help execute identity theft (see diagram below).

It's often a nightmare to unwind.

There will now be "two-factor authentication" - in the form of a txt message sent to your number, confirming that you do actually do want to change phone companies and take their number with them.

A customer must respond "YES" within two hours. Otherwise, their mobile number will not be transferred to a new provider.

How is this different from other crackdowns in the slow-moving, multi-year effort to clamp down on sim-card fraud?

"Previously it was an opt-in system - this way everyone who is porting has to say yes to proceed with the port," says Paul Brislen, head of the Telecommunications Forum, which among other things helps to co-ordinate number porting between its member telcos, who include Spark, Vodafone NZ and 2degrees.

"It makes it impossible for a scammer to slam your phone to another network and use that phone to authorise transfers of money," Brislen says.

"We've already had customers call in to say they didn't authorise a port and the telco fraud teams can work with them and their banks to determine if their other credentials have been compromised."

Number porting was introduced in the 2000s with good intent - to help boost mobile market competition. But although it achieved that goal, it also opened the door to sim-card highjacking.

And, for years, regulatory red tape helped stymie attempts to stamp out the crime. Telcos could not contact a customer to confirm they wanted to shift their number to a competitor - an inadvertent consequence of a ban on "win-back" marketing.

In May 2020, police issued an expanded warning, saying a spate of sim-card hijackings had cost 30 New Zealanders more than $1 million, including an Otago real estate agent who lost $120,000 after his Westpac password was changed via confirmation by txt.

A number of safeguards were introduced, with Spark switching to a system that required a customer to visit a retail store to confirm a switch.

However, the Government's Computer Emergency Response Team (Cert NZ) continued to report problems with sim card fraud.

Now, with a universal check finally in place, a phone number "cannot be ported without the owner's express permission", Brislen says.