Home Contracting and the Need for My Number Card Due to Rise in SIM Swap Fraud in Mobile Phone Contracts

Planned for Implementation Within This Fiscal Year.

Smartphones, now an indispensable presence, will generally require a My Number Card (My Number Card) for mobile phone contracts. The government has summarized a ‘comprehensive measure to protect citizens from fraud’ in June, aiming for implementation within this fiscal year.

The government’s aim is to promote the My Number Card, which centralizes personal information management such as health insurance cards and driver’s licenses, and to enhance security as well.

On the other hand, there have been reports of troubles such as being unable to use the My Number Card instead of the health insurance card due to issues with the medical institution’s reader, forcing reliance on the health insurance card. There are also concerns about centralizing personal information with the My Number Card. Will it be alright?

Regarding the initial measures for identity verification, Minister of Internal Affairs and Communications Takeaki Matsumoto pointed out at a June press conference, ‘Cases are increasing where forged identity verification documents are used to illegally contract mobile phones, and these are being misused in crimes such as fraud, unauthorized payments, and illegal remittances,’ and emphasized the need for countermeasures.

SIM Swap Fraud Rampant with Damage in the Hundreds of Millions of Yen Overseas!

Mobile phone devices typically use a SIM card that enables calls and communication. Issued by mobile phone companies like NTT Docomo, SoftBank, and au, a SIM with a phone number is necessary to make calls.

In ‘SIM swap fraud,’ the perpetrator impersonates the victim, typically lying at a mobile phone company’s store about losing their phone and requesting a SIM reissue. For in-store identity verification, forged identification documents such as driver’s licenses are used, created from personal information like the victim’s name and address.

When the perpetrator inserts the reissued SIM into the prepared mobile phone device, it becomes possible to make calls and communicate using the victim’s phone number. There have been reports of damage such as the theft of bank account deposits due to this SIM swap fraud.

In May of this year, a city council member in Osaka found that their phone suddenly lost signal. Upon contacting the mobile phone company, it was discovered that the perpetrator, impersonating the victim, might have used a forged My Number Card at a store in Aichi Prefecture to change the phone model. Subsequently, it was revealed that over 2 million yen worth of brand-name watches had been fraudulently purchased using the victim’s credit card. The victim has set up their own site to raise awareness of such incidents and is calling for vigilance against crime.

In addition to the case involving the Osaka city council member, there have been multiple reports of SIM swap fraud, with cases overseas involving damages amounting to hundreds of millions of yen.

Can a Driver’s License with an Embedded IC Chip Work?

To prevent such SIM swap fraud, the government’s measure is to consolidate identity verification for mobile phone contracts into the My Number Card as a general rule and mandate ‘reading of embedded IC chip information.’ Mobile phone contracts can be processed online, but non-face-to-face identity verification will only be possible with the ‘My Number Card.’ For in-store face-to-face verification, ‘We are planning to mandate reading of IC chips for both driver’s licenses and My Number Cards’ (according to a Digital Agency spokesperson), allowing for driver’s licenses with embedded IC chips as well.

Regarding the new identity verification method, Noboru Ueno, representative of Trycoder (Chuo-ku, Tokyo), which provides cybersecurity solutions, says, ‘It is a much safer system compared to traditional health insurance cards.’ He adds, ‘Forging the IC chip itself is very difficult because it contains a system for electronic certificates of public personal authentication.’

Public personal authentication services are a means of identity verification used in online applications and administrative procedures to prevent impersonation and data tampering. Data known as ‘electronic certificates’ is recorded on IC chips in My Number Cards and other similar cards for use. The public key cryptography method adopted by public personal authentication services involves a ‘private key’ and a ‘public key’ in a pair, where something encrypted with one key can only be decrypted with the other key.

Although Information Is Not Stored on the Card Itself.

Regarding the security of the My Number Card, Ueno says, ‘The only data other than what is printed on the card itself is the electronic certificate, so information is not stored on the card itself.’ Even if someone steals another person’s My Number Card, a password is required, making it ‘not easy to misuse.’

Even though the My Number Card, including the embedded IC chip, is difficult to forge, if personal information is centralized on the My Number Card and used for purposes such as health insurance cards and driver’s licenses, it will become necessary to carry it. Is there no concern about accidentally dropping the My Number Card and it being picked up and misused by someone with malicious intent?

In this regard, the key factor is the password. If someone with malicious intent picks up the My Number Card and cracks the password, personal information could be exposed.

“The password system is designed to lock after a certain number of incorrect attempts, making it difficult to crack someone else’s password. If you lose your My Number Card, you can temporarily disable its functionality by calling the call center” (according to a Digital Agency spokesperson).

 

After all, it is the “password” that matters!

To prevent passwords from being cracked, Yugo Fujita, representative of Cyber Research (Suginami-ku, Tokyo), which provides information leakage investigation services, emphasizes the importance of not reusing passwords. He mentions that common passwords among victims often use patterns such as names or birthdays and that it is common for people to use the same password across various systems.

Furthermore, is there a risk of leakage of the personal information managed by the government’s My Number system itself? Fujita, who regularly monitors the internet, says that various personal and corporate information is leaking on the dark web (a type of illicit information site).

In the United States, incidents of personal information held by government agencies leaking and causing problems have occurred. Last year, numerous confidential documents were leaked from the Department of Defense, leading to the arrest of an Air National Guard member who was found to have taken them without authorization. The U.S. Office of Personnel Management disclosed in 2015 that 21.5 million personal records had been accessed illegally. In a case where social security numbers (SSNs) of approximately 143 million people, nearly half of the U.S. population, were leaked, a major credit reporting company announced in 2017 that it might have been exposed, explaining that a vulnerability in the system was hacked.

Upon inquiring with the Digital Agency about concerns.

There is no zero risk of personal information managed by the government leaking in Japan. Particularly, if personal information is centralized through the My Number system, it would be serious if medical information were to be leaked. While the possibility of leaks directly from government agencies might be small, according to Fujita, attackers may attempt to breach less secure sites, potentially sending emails to infect systems with viruses and cause information leakage.

Even if not from the government itself, leaks could occur from outsourced operations. Medical information could be leaked by attacking medical institution systems. For example, in Finland, about 50,000 medical records were hacked in 2020.

When contracting a mobile phone, if you need to read the embedded IC chip information of the My Number Card, there would be reading devices available at stores. However, how will this be handled for online contracts? Will impersonation be prevented? What about people who do not have a My Number Card or driver’s license?

Upon inquiring with the Digital Agency,

“For online mobile phone contracts, it is customary to provide clear guidance to applicants on the application screen” (according to a spokesperson).

They only answered with that and did not explain the specific method.

It seems it will still take some time before the system becomes easy and secure for the public to use.