The Australian Communications and Media Authority (ACMA) has set out new industry rules for the telecommunications industry to protect consumers from high-risk transaction scams through better multi-factor authentication processes. The Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, will come into force from June 20, 2022.

Scams in Telecommunications

Scams targeting customer interaction within telecommunications providers have cost individual Australian victims an average of AUD 28,000. These scams include, but are not limited to, SIM-swap requests, disclosing of personal information and making changes to an account.

A SIM-swap request is when a person requests a new SIM card via their telecommunications provider. The old phone number is then transferred over to the new SIM card. Fraudsters can exploit this process by stealing their victim’s personal information and impersonating them when requesting a SIM-swap. Once the phone number is transferred over to the new SIM card, then the fraudster will be able to access the victim’s various accounts. This scam is effective as many consumers rely on their phone number and device to verify their identity. For example, a fraudster who just committed a SIM-swap scam can attempt to log into their victim’s account and receive the one-time passcode via text message. Once the fraudster enters the one-time passcode, they will be able to access the victim’s account.

Improving Security with Multi-Factor Authentication

Telecommunications providers will need to verify a user’s identity through multi-factor authentication. This involves requiring two or more verification factors to prove their identity and gain access to their account. A multi-factor authentication approach helps reduce the chances of scam attacks as it adds another layer of security.

While requiring multi-factor authentication is going towards the right step, telecommunications providers should be wary of insecure and outdated security methods. For example, device-based authentication methods such as one-time passcodes and fingerprint authentication may not be the most secure option available. A one-time passcode does not actually prove the user’s identity, as anyone with access to the device can obtain and input the one-time passcode. If a bad actor has access to a device they can add their own fingerprint as an authorizing factor by simply using the access code.

Voice Biometrics as a Factor

Auraya recommends voice biometrics as the preferred additional verification factor. Unlike fingerprint, Auraya’s voice biometric technology is not required to be stored on the device. Voiceprints are stored behind the telecommunications provider’s secure firewall. The trelco can simply ask the person attempting to authorize a SIM swap to say a One Time Pass-code. The authorized user will provide the authorisation code with their own voice and be conveniently verified and the telco has a non-repudiable digital signature authorizing the legitimate request. Bad actors will be thwarted even if they had managed to get physical or virtual control of the trusted device.

Requiring users to verify their identity by speaking their phone or account number also provides multiple verification factors. Telecommunications providers can verify the device used (what they have), verify their phone or account number or transaction code (what they know) and verify their voice (what they are).

Auraya has engineered its voice biometric technology to be platform and language independent, allowing organizations to verify their customers’ identity on any platform, and using any language. Whether it’s during an IVR sequence in a contact center call, transacting in a mobile app or chatting with a chatbot, organizations can verify customers seamlessly and securely.