SIM swap fraud is on the rise and if you work in the risk management or identity management domain you already know that’s a big problem. However, the good news is there is an easy & secure solution to address this problem. Let’s dive in!
Businesses that use SMS 2FA are all vulnerable to SIM swap fraud. Tricksters may target your high-profile client or customer first but eventually; all of your users are at risk. At present, banks, fintech, and crypto businesses are specifically targeted as the volume of financial transactions is higher there. In addition, the risk is very high for any mobile app or service that uses a mobile number as a primary user identity.
For registering any online account, we are accustomed to providing email and a password. Now we know that passwords are a flawed security solution as many of us use weak or even the same passwords for multiple online portals.
Yes, OTP (one-time-password) bases SMS is used widely these days to suppress the security concern but that too is just a ‘sticking plaster’ on top. The way SMS 2FA is used as a security layer when changing a password is a ‘ripe’ target for hackers. Compromising that SMS channel means you are providing access to your sensitive data, financial details, and customer profile/information.
The victim’s mobile number and related personal information are collected via social engineering or a phishing scam. By using such information, the criminal makes a call to the victim’s mobile network operator (MNO) and requests for a new SIM card—pretending that the phone is lost. The MNO issues the new SIM card to the criminal with the victim’s mobile number mapped to it. When the duplicate SIM goes live the victim’s SIM stops working. And, before the victim decides what to do the criminal logs into their online banking, social media, email, and other services and changes the password by intercepting the PIN codes sent through SMS. The victim’s identity, sensitive information, and money are all gone!
Each SIM card has a unique identification number known as IMSI or International Mobile Subscriber Identity. If a new SIM card is issued to someone, it will have a new IMSI number which will be different from the old SIM card. This number makes it possible to identify and avoid SIM swap fraud.
This technology is a core part of every mobile network as this is how they bill us correctly for our usage. Now, this technology has become available for identity management and prevention of SIM swap fraud.
Let’s take a closer look at how SIM-based authentication can fight against this fraud. Assume that a user has registered and validated his/her mobile number. As an MNO, you can always verify that the SIM hasn’t changed before you send the user an SMS OTP. If the original registered user is still in possession of the same SIM card, the check will come back positive and you can send the SMS OTP as normal. However, if there has been a change of SIM card, this check will fail and then you can take necessary security measures.