I am assisting another Data Scientist with helping a bank detect and prevent fraud via data analysis and predictive modeling (Machine Learning). It's a challenge because the proportion of known fraudulent cases is small and some fraud goes undetected.
I need to combine my statistical modeling techniques with subject matter expertise (SME) in the domain of fraud / infosec. We had a number of "traditional" rules to serve as SME, such as checking IP addresses, comparing users' current browser data / fingerprint / canvas against the past and for internal consistency, etc. We can catch most fraud this way by requiring 2-Factor Authentication (2FA) whenever something looks suspicious.
However, one of our customers indicated that now fraudsters are able to "defeat 2FA by cloning SIM cards and other methods". This would be a huge complication but I've never heard of it before, at least not on any significant scale that wouldn't involve offline contact between the customer/victim and fraudster. So, my first question is:
- Is this true? Does this happen and if so, how is it being done? Any known mitigation strategies?
This is only a small and intermittent part of my job, so it's quite possible that my information is out of date and there are new techniques like this. This leads me to my second question:
- Are there other methods like this that I should be aware of, which would allow attackers to bypass 2FA?
We were aware that sometimes the identity thief will have enough personal information to call or login to the bank, pass verification, and update the phone / email contact info so they can later try to bypass 2FA when making a withdrawal. We have a strategy to combat this, but if there are other attack vectors please let me know.