In July 2019, Ofcom introduced a new way to handle number portability for UK customers. The idea was a simple one, make it possible for people to text ‘PAC’ to 65075 and within seconds a SIM porting request is in motion.
Whilst the process is claimed to create a frictionless experience for customers, we instantly took a disliking to the newly introduced changes. As we are all aware, convenience is the enemy of security and we thought the new process was a terrible change for Ofcom to make.
We made our thoughts known in a blog, this was then picked up in this Telegraph article. We tried to make noise and warn people, but in all honesty we sometimes question the legitimacy of our own concerns.
We strongly suspected the changes would impact people and increase SIM swap frauds but we had no clear evidence this was the case. Maybe Ofcom had handled this giant change like professionals and we are just the luddites screaming at the modern ways of doing things?!
The Ofcom FOI Request
The request we made to Ofcom had some clear objectives, we wanted to know who was responsible for the technical consultation regarding this change. We thought that asking who they paid for this consultancy would be the best choice of words… but they didn’t spend anything on the opinions of experts, so we didn’t get the answer we hoped for… touché Ofcom. In fairness, they do cite mentioning SIM swap fraud a few times in meetings covering the planning stages in 2017 but this doesn’t seem solid enough for a big change that could potentially affect millions of people.
Ofcom defend their choice to alter the PAC process in the response:
• Auto-Switch represents an improvement over the current porting process as it requires mobile providers to text the switching code to the consumer, whether they have requested it by text, online or by phone. The authorised account holder would then be alerted to any fraudulent PAC/N-PAC1 request made by phone or online and could contact their provider.
• We also considered the risks of SIM swap fraud and unauthorised acquisition of mobile numbers and concluded that Auto-Switch does not increase these risks compared to the current situation.
So as I mentioned before. How do we know for sure that the changes made by Ofcom are bad ones? We tone down the social media campaign warning people about the dangers and await the outcome of the scenario.
The Action Fraud FOI Request
For those not familiar with Action Fraud, it is where we send crime reports in the UK to placate victims of fraud and give them a sense of closure and value for money after paying taxes. It is literally just a call centre that logs crimes. We asked for stats pertaining to SIM swaps.
After our FOI request to City of London Police was finally answered, we had the statistics to back up our gut instinct. The changes Ofcom introduced did not seem to be effective at reducing the number of SIM swap fraud victims. In fact, there is a trend in the wrong direction. Not too cracking with the maths but I’m going to assume June 2018 was a bad month.
Are We Right Then?
For us, the objective isn’t to simply prove Ofcom’s changes are inefficient. We kind of knew it would be easier to commit fraud using the newest changes to the PAC process… we demonstrated how easy that would be July 1st 2019, the first day of the change… we now have some loose stats to support that. What we fear is a bigger issue and one that will have irreversible consequences should it come to fruition.
Currently mobile customers in the UK have a choice when it comes to obtaining their PAC codes, they can contact customer services as ever. Or they can use the new Ofcom required SMS service. With the increasing pressure on operators to combat the plight of SIM swap fraud we feel providers will soon decommission call centres PAC functionality and opt for sole use of the new SMS mechanisms. They might even do this blindly thinking that it is safer that way.
What Would Make Us Happy?
We really don’t like media tactics, aggressive campaigns and ranting on Twitter to raise awareness. Who wants to see that? But often we find it is the only way to get action on pressing topics like this. This isn’t us trying to sell some amazing product that solves the issue, we are genuinely concerned that people will be conned out of their life savings by this savage form of cyber attack and we feel the operators haven’t taken SIM swap fraud seriously enough over the years. Ofcom’s changes only go further down the wrong path in my opinion.
We shouldn’t have to be the enemies of these giants in order to get heard. Despite openly helping victims of these frauds for free over the years, despite getting a plaque from the MET Police for reducing SIM swaps, despite pushing for change year on year – they ignore us. Not once does it occur to these people that we might actually be trying to help.
Ofcom, you need to re-visit how PAC codes are issued and add additional security measures to the flawed process. The changes you forced upon operators effect 70% of the UK population and this needs more than a committee meeting to decide our fate.