Orange, Free, Bouygues Telecom and SFR are uniting against fraud and identity theft by joining the GSMA Open Gateway. Operators have developed two tools to combat SIM swapping and digital scams.
France is going through an extremely turbulent period in terms of cybersecurity. The country has become a prime target for hackers, who have hit French businesses hard in recent months. Boulanger, Truffaut, Picard, Cultura, Auchan, Molotov, Le Point, Mediboard, La Banque de France, Norauto… Even telephone operators were entitled to it! Last November alone, Free was the victim of a new intrusion, which resulted in the theft of the personal data of millions of subscribers, including IBANs, and SFR saw the personal data of 3.6 million subscribers revealed on Telegram. Leaks which only feed the already well-stocked databases on the Dark Web. Enough to carry out formidable offensives against Internet users!
The figures are quite telling. The number of cases of digital identity theft has increased by 40% over the past four years, according to figures from the French Interior Ministry. Similarly, 80% of French businesses say they have experienced online fraud attempts, with 45% saying online fraud has increased over the past 12 months. In short, the problem is not to be taken lightly!
Also, the four major mobile operators in France – Bouygues Telecom, Free, Orange and SFR – announced in a press release join the GSMA Open Gateway, an initiative launched by the association which represents the interests of mobile operators around the world. Their goal: to provide universal APIs for their services to help app developers and businesses fight online fraud and protect mobile customers’ digital identities. A way to pull the rug out from under hackers.
GSMA Open Gateway: APIs to fight online fraud
Our four operators have thus developed two application programming interfaces (API) for enterprise developers, designed according to the new CAMARA standard, which aims to harmonize specifications between mobile operators. The first, called KYC Match, allows businesses to verify information provided by their customers through verified records held by the user’s mobile network operator, as part of their KYC (Know Your Customer) process. Telecoms rely on the personal data they hold about their subscribers, such as mobile phone number, name, postcode, address, date of birth and email address. However, no personally identifiable information is shared in the process. This should make it possible to combat illegal activities such as money laundering, fraud, identity theft or terrorist financing.
The second API is called SIM Swap and, as its name suggests, aims to fight against SIM swapping attacks – “SIM exchange” in French. This involves moving the victim’s phone number to another SIM card through social engineering techniques and compromised personal data, so that the cybercriminal can receive and send SMS messages pretending to be them (see our article). All he then has to do is use it to unlock access via double authentication to certain sensitive services – such as the banking application –, for remote purchases or even to make premium rate calls to numbers that they created. The API will allow businesses to check whether a given phone number has recently changed SIM cards, for example, at the time of a financial transaction. If a recent change is detected, the company can then choose to block the transfer or request additional confirmation before authorizing the transaction.
GSMA Open Gateway: launch in 2025
French operators are aiming for a commercial launch of these APIs in the first half of 2025. They have already been tested on the French market. As Orange explains, “Our identity APIs have already been deployed by many banks and financial service providers in France to help fight fraud”. They plan to discuss their launch plans with the GSMA at the Apidays Paris 2024 developer conference, which takes place December 3-5, as well as at MWC Barcelona in March 2025.
Bouygues Telecom, Free, Orange and SFR are also considering including a third API, which some already provide. Named Number Verification, it allows you to verify a customer’s phone number “transparently and automatically” without sending a code by SMS, by “providing the next generation of strong authentication and user experience” – that is very vague. This should help avoid problems, such as users not receiving an SMS or experiencing difficulties due to unfamiliarity with the technology. This looks promising.