Technical method of protection against unauthorized issuance of duplicate SIM cards (and personal data in general), implemented at the operator level
The last couple of weeks I have been watching how the Internet is rooting on the subject of duplicate SIM card fraud. On Habre, too, have already written about it. At the same time, this problem is not new at all, but it is constantly emerging and more and more intensively.
In this regard, I would like to talk about how Deutsche Telekom (and other German operators) deal with this situation. Immediately it should be noted that the situation with sales points in Germany is very similar: almost anyone can open a point, i.e. the range of persons who may have access to the data is broad enough in advance. But it uses a very sober technical method of protection.
When a client comes to any office of the operator and calls his phone number, the employee drives him to his terminal, and the client immediately receives an SMS with the content “In order for our employee to get access to your data, tell him one-time password XXXXXX”. Only after the employee enters the password, does he see who is registered with the number and he asks for an identity card that verifies his data. Those. Without this one-time code in the office, no one can even look at whom the number is registered. Therefore, no leaks "database" has never been.
At the same time, if a client comes with a request to replace a lost SIM card, then they ask him to wait 15-30 minutes. At this time, all the contacts of the client (SMS, email) receive a notification, informing them that the SIM card will be replaced. It also reports how to immediately stop this process (as a rule, it is enough to reply to SMS and the operation will be blocked).
')
In Germany, de facto, the corruption component is significantly lower, but this approach is used everywhere. It is surprising why in the Russian reality this has not yet been applied. It would be great if the operators paid attention to this and put an end to this stupidity.
In this regard, I would like to talk about how Deutsche Telekom (and other German operators) deal with this situation. Immediately it should be noted that the situation with sales points in Germany is very similar: almost anyone can open a point, i.e. the range of persons who may have access to the data is broad enough in advance. But it uses a very sober technical method of protection.
When a client comes to any office of the operator and calls his phone number, the employee drives him to his terminal, and the client immediately receives an SMS with the content “In order for our employee to get access to your data, tell him one-time password XXXXXX”. Only after the employee enters the password, does he see who is registered with the number and he asks for an identity card that verifies his data. Those. Without this one-time code in the office, no one can even look at whom the number is registered. Therefore, no leaks "database" has never been.
At the same time, if a client comes with a request to replace a lost SIM card, then they ask him to wait 15-30 minutes. At this time, all the contacts of the client (SMS, email) receive a notification, informing them that the SIM card will be replaced. It also reports how to immediately stop this process (as a rule, it is enough to reply to SMS and the operation will be blocked).
')
In Germany, de facto, the corruption component is significantly lower, but this approach is used everywhere. It is surprising why in the Russian reality this has not yet been applied. It would be great if the operators paid attention to this and put an end to this stupidity.
Source: https://habr.com/ru/post/267563/
All Articles