Fraud need not be simple to be lucrative. Telcos and banks currently have their hands full combatting SIM swap fraud. Learn more about how vulnerabilities in multi-factor authentication have made this complex type of crime so widespread.
It’s a fact of life. Fraudsters will always find new and innovative ways to hack new and innovative anti-fraud measures. In the case of SIM swapping, fraud incidents have increased 400% since 2015.
SIM swap is a form of account takeover fraud (ATO) with the potential to affect everybody who uses a mobile phone. Even Twitter CEO Jack Dorsey wasn’t spared. While SIM swap fraud has been on the radar for a while, the problem keeps getting worse year-on-year.
In the United Kingdom, over 10 million British pounds have been lost between 2015 and mid-2020, as a direct result of SIM swap fraud. Globally, the fraud is especially problematic in emerging markets.
“Fraudsters will always find new and innovative ways to hack new and innovative anti-fraud measures.”
What is SIM swap fraud?
SIM swap fraud is when a hacker gains access to a user’s personal accounts via their mobile phone. In essence, a hacker tricks a mobile network provider to switch a user’s number over onto a new SIM card that the hacker controls.
SIM swapping isn’t exactly simple, given it’s a multi-stage con that requires different elements to fall in place just right and usually, a little luck on the part of the fraudster. Still, what makes it particularly shocking is the fact that it’s an exploitation of a security measure that users have been told is safe.
For years, companies have been telling customers to protect themselves by using two-step verification. Now, customers need to be informed about that little caveat with the potential to cost them their life savings.
How SIM swap fraud is done
The SIM swapper’s modus operandi requires some investigative work and data crunching, but today’s fraudsters are brazen, smart and least of all afraid of getting their hands dirty.
The process is generally set in motion by first gathering personal information on a user, usually from online sources such as public data leaks or phishing attacks. Information that isn’t available, is imagined through social engineering.
Secondly, with this ‘personal profile’ in hand, they impersonate the user, contact the user’s mobile network provider, and claim that they are moving to another mobile carrier or that their SIM card has either been damaged or stolen. Generally, they ask for a Porting Authorization Code (PAC). A PAC is needed when a user wants to take their old phone number to a new provider.
Before handing over the code, call centre employees are required to ask a number of questions to verify the identity of the user. Thanks to the personal information gathered through scraping the web, phishing and social engineering, fraudsters are able to impersonate the user accurately enough to convince the mobile network they are who they say they are.
In many cases, impersonation isn’t even needed, as fraudsters sometimes have an inside-man.
Finally, once the hacker receives the PAC and activates the new SIM card, the old SIM card is deactivated. While the unsuspecting user is figuring out what might have happened to their phone, the hacker is able to request the SMS verification and Authenticator codes needed to gain access to the user’s email and financial accounts (e.g., banking, stocks, crypto wallets). In a matter of minutes, life’s savings are stolen. By the time the user figures out what happened, there’s very little that can be done.
Mobile providers need to step up
When it comes to fraud, it’s true that the customer is usually the weakest link. However, what we see in the case of SIM swap fraud is that the burden is actually shared between the user and the mobile provider.
A study conducted by Princeton and originally published in early January 2020, showed that various popular websites and mobile carriers allowed users to verify their identities even though the users in question had only passed one authentication challenge while failing others.
In the Princeton study, researchers examined the protocols employed by popular prepaid wireless carriers whenever a customer requested a change of SIM card. They found that all the carriers relied on authentication challenges that were insecure and easily subverted by fraudsters.
In an updated version of the paper published in April 2020, the researchers found that companies were still dragging their feet, even after being made aware of the vulnerabilities. Of 17 websites they approached regarding their weak security protocols, only 4 had put proper measures in place.
Mobile providers need to take responsibility and do their part. From human error to poor processes and weak policy enforcement, there are many holes to plug.
The connection with SCA and eSIM
SIM swap fraudsters are on the lookout. Because of the European Union’s December 2020 deadline for the implementation of Strong Customer Authentication (SCA), every European business accepting online payments will be offering their customers some or various forms of multi-factor authentication, including SMS verification.
All in all, multi-factor authentication is a brilliant way to secure user accounts and shield sensitive date from prying eyes. However, businesses should be aware of that one loophole (read: SMS verification) with the potential to turn a wonderful system into a catalyst for fraud. Allowing customers to reset passwords via SMS message simply isn’t safe. Luckily, SCA also includes other verification methods, like email, OTP authentication and biometrics.
Another potential danger is the introduction of the eSIM. In the coming years, millions of mobile users will be making the switch to phones with eSIM support. Without proper measures in place, every transition from physical to electronic SIM is a potential fraud case waiting to happen.
Now that we’ve established the methods, vulnerabilities and consequences related to SIM swap fraud, the following question is inevitable: What can businesses do to protect their customers?
The solution to SIM swap fraud
Is there a way to protect customers without hurting the user experience by eliminating user access to options like SMS verification?
For telcos, the solution to stopping SIM swap fraud without hurting the user experience is by implementing fraud scoring checks that aid the help desk in deciding when or not to grant the caller’s request to switch SIM cards.
For example, at Mi-Pay we’ve developed a system that is able to detect suspicious activity early on in the process. Our platform is constantly aware of the status of the customer’s SIM card, including whether it is brand new or recently been reported stolen. When a request for a SIM swap comes in, we’re able to relay a yes/no recommendation to the customer support staff in real time, stopping SIM swap fraudsters dead in their tracks.
We’re also able to aid banking institutions in detecting unusual behaviour like high volumes of transaction requests or dubious international transactions.
Thanks to our decades of experience in working with telcos and banks, we’ve developed a very broad understanding of fraud and the methods employed by criminals. This understanding enables us to identify and stop fraud at various points in the process.
Let’s talk about SIM swap!
Is SIM swap fraud an issue you are struggling with? Are you planning on expanding your eSIM offering? If you’re open to sharing ideas and perspectives on the best way to go about combatting SIM swap fraud, let’s have a chat. I’m all ears and ready to help.
Vice President of Sales
E: [email protected]
M: +44 7515083513