The Australian Communications and Media Authority has warned telcos it will impose new customer authentication rules to clamp down on SIM-jacking and other identity theft attacks.
Telcos must enforce multi-factor identity authentication processes for all high-risk transactions, from 30 June, the media and communication watchdog said.
ACMA said telcos would be responsible for both identifying high-risk customer transactions and forcing customers to verify their identity through at least two authentication methods before enabling the transaction.
Examples of authentication methods could include requiring customers to use a unique verification code or secure link, sent to their mobile number or validated mobile application, in addition to their username and password.
High-risk customer transactions include SIM swaps, transfers from a post-paid to a pre-paid service, transfers of ownership, adding additional phone services to an account, activating a service for an overseas customer, buying an additional mobile phone, blocking an international mobile equipment identity or a permanent equipment identifier.
ACMA said telcos would also be required to keep records of their compliance with identity authorisation procedures for at least one year.
Mobile providers will also be required to implement systems for both identifying customers at risk of fraud and offering them fraud mitigation protections.
The watchdog said procedures these procedures included sending them notifications when a change to their account is requested and flagging their account to show transactions are high-risk and pausing suspicious transactions.
In May last year, the ACMA reprimanded telcos for failing to protect customers from identity theft by not upholding adequate authorisation standards.
An investigation by the agency found that Telstra breached identity verification rules at least 52 times last year, while Aldi Mobile was found to have breached the rules 53 times. Optus was found to have breached the rules on one occasion.
Between January 1 and September 30 last year, there were at least 510 incidents of reported fraud from scammers targeting customer authorisation processes, resulting in 163 cases of financial loss, amounting to $4.68 million.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
