Advertisement

Acma announces new rules on porting mobile numbers to tackle identity fraud

<span>Photograph: Joel Carrett/EPA</span>
Photograph: Joel Carrett/EPA

People who want to change mobile phone providers but keep the same number will soon have to verify that the number they are porting is their number, under a new standard designed to combat identity fraud announced by the communications regulator.

It is usual for online services including banking, Facebook, email and online sales to require users to have a mobile phone number to prove they are who they say they are via SMS verification – known as two-factor authentication.

However, it is increasingly considered the weak link for confirming someone’s identity, given the ease at which people can take over someone’s mobile number through number porting.

In Australia, when someone requests a change in number there is currently no check, aside from basic identity checks, to ensure that the owner of the number being ported to a new mobile provider is authorising the transfer.

Related: Woman, 21, accused in alleged cyber fraud of superannuation and share accounts

Under the new standard announced by the Australian Communications and Media Authority (Acma) on Friday, mobile companies will now need to verify that in a number of different ways. It can done be via a unique code sent via SMS or email to ensure the number has requested the port, or in a retail store by the sales representative calling the number with the person in store to ensure it is their number.

“This new standard is a strong step forward in the battle against criminals who scam mobile phone users and will significantly reduce the prevalence of mobile fraud,” Acma authority member Fiona Cameron said in a statement.

The Australian Communications Consumer Action Network welcomed the new standard but its chief executive, Teresa Corbin, said SMS was not the most secure method of two-factor authentication.

“We’d like to see the Acma require telcos to use highly secure forms of verification, such as hardware or software authentication tokens, which are generated with a mobile app,” she said. “We’ve already seen some government services adopt this approach through the development of the myGov code generator app.”

Google Authenticator is another popular software authentication method that avoids the need to use SMS.

The new rules come into effect at the end of April, and telecommunications companies face fines of up to $250,000 for failing to comply.

The federal communications minister, Paul Fletcher, said some mobile providers had already put in place some of the new checks required, and he expected every provider to be compliant by the end of April.